Information regarding how cPanel & WHM processes SSL (Secure Sockets Layer) certificate requests, as well as the way in which Apache processes SSL requests, is being provided here.
The information contained here is recommended for experienced Systems Administrators. As of the version 68 of cPanel & WHM, only TSL (Transport Layer Security) protocol version 1.2 is supported. It also needs to be mentioned that only those applications are supported, which use TLSv1.2. Hence, it is recommended that you ensure to enable TLSv1.2 on your server. Please note that the domain-indexed SSL storage of other services is referred to as Domain TLS here.
Name-based and Virtual
Host Match
Most of the SSL-enabled services, which are deployed
by cPanel, support simple SSL that are name-based. When an SSL certificate for
a certain domain is requested by a client, one of the below-mentioned actions
is performed by the service.
- In the event that the certificate exists, the service’s response is a certificate which matches the requested domain.
- If there isn’t any
certificate, the system uses the default SSL certificate of the service.
Apache SSL Certificates
The above-mentioned logic isn’t followed by Apache. Apache
carries out the below-mentioned actions, when a client issues a request for an
SSL certificate for a certain domain’s SSL certificate.
- The virtual host, which hosts the domain, is established by it.
- It responds with the certificate for that particular virtual host.
It needs to be mentioned here that Apache can’t match
a certificate directly with a domain. It offers the certificate of the virtual
host, even if the certificate doesn’t match the domain. The same certificate is
served by Apache for any request, which matches a given virtual host. Due to
this limitation, the domain-indexed SSL storage of Apache differs from that of
the other services.
In order to simplify the process, cPanel & WHM exposes
merely a single set of API functions for installing and removing SSL
certificates. When an SSL certificate is installed by a user or an
administrator, that installation applies only to a particular Apache virtual host.
This impacts both, Apache and those services which support name-based SSL. Once
the Apache installation gets completed, the system copies the certificate to
Domain TLS for each and every domain on the virtual host which matches the certificate.
Let us mention a few important facts in this context.
- The certificate is only then copied to Domain TLS by the system when the certificate passes the validity check of OpenSSL. This is a check that happens daily.
- In the version 66, and in the later versions of cPanel & WHM, certificates are
removed from Domain TLS by the system when they do not succeed in validation or
when they are set to expire within a day.
The same pattern
is followed by certificate removal. The Domain TLS entries for all the domains on
the virtual host, which match the certificate, are removed by the system.
It is important to mention here that if an SSL
certificate and key don’t pair correctly, then Apache can’t start with
SSL-enabled . The following commands need to be run for verifying if they
paired correctly-
- openssl x509 -noout -in filename.crt
- openssl rsa
-noout -text -in filename.key
In these commands, the term “filename” indicates the
certificate name.
In the event that the modulus number and exponent
returned by each file matches, the certificate and key have paired correctly.
Service-default SSL
Certificates
Default SSL
Certificates are used by non-Apache services. These can be managed by
administrators through WHM. The default SSL certificate is served by these
services to the client only in the situation when no certificate in Domain TLS
matches the requested domain of the client. It should be mentioned here that FTP
is the only service, which doesn’t support name-based SSL.
In the version 66, and in the later versions of cPanel
& WHM, when a service-default SSL certificate is installed by an
administrator, this certificate is compared by the system with the contents of
Domain TLS. For each and every domain on the default certificate, that new
certificate is installed by the system to Domain TLS. This action is carried
out by the system only if an SSL certificate that has higher-grade identity
assurance doesn’t already exist on Domain TLS. This makes sure that the highest-grade
SSL certificate is served by the system for every request for each non-Apache
service.
Before concluding, let us mention that HTS Hosting provides
free SSL certificates with all of our Windows as well as Linux-based Shared
Hosting Plans. Apart from shared hosting, we provide various web hosting plans
that are designed to cater to different budgets and requirements of websites’
owners. Our affordable and high quality web hosting plans have helped us earn
the reputation of being the “Best Linux
Shared Hosting” as
well as the “Best Windows Shared Hosting”
service provider in all over the world.
No comments:
Post a Comment