Easy SSL for hosting companies
A major change is coming after the announcemant by Google of a modification of its algorithm aiming to favour web sites secured via SSL (HTTPS).
Whis this upgrade, Google clearly states that security over the internet is one of its priority and that it has been placed at the heart of its strategy.
Hosting companies will be among the first ones impacted and will have to be able to offer a SSL option especially to their mutualized hosting packages.
SEO is one of web sites editors' main concern. Therefore they will tend to select hosting companies offering simple SSL solutions.
TBS INTERNET now proposes to hosting companies its TBS X509 Multi Site in Hosting version 40 and 100 SANs especially designed to meet their particular needs. A simplified procedure has been created to ensure minimum constraint!
Nota: TBS X509 Multi Site version Hosting 40 or 100 SANs can be installed on 2 machines.
Get the list of FQDNs to certify
First of all, you need to know how many web sites you'll have to secure. To get a complete list of active FQDNs of a server, enter the following command line (for Linux, Apache, Debian / Ubuntu servers):
egrep -hi '^[ \t]*server(name|alias)' /etc/apache2/sites-enabled/* |tr " \t" "\n" |sort -f |egrep -vi '(ServerAlias|ServerName)' |egrep -v '^.+[\?\*]' |grep -v '^$' | uniq | sort
Filter FQDNs
Now that you have the list of sites of your server, you can filter them and make sure they point to your server IP with the command:
for item in $(cat list-of-sites ); do echo -n "$item " ; dig +short $item A | tail -1 ; echo ; done |grep SRV-IP
The main name of your certificate (CN) will have to be choosen among the results and will have to be owned by the certificate holder: the hosting company. The main domain is going to be audited and we'll only ask documents to the holder. The other domains being validated by the DCV challenge.
The other FQDNs to secure will be indicated directly in the order form in the "Alternative Names" field.
Place a certificate order
Le TBS X509 Multi Site version Hosting is only available on our certificate Cet=nter. To obtain that kind of product you need to either:
Once it is done, follow the procedure described here.
Validation of DCV challenges
After completion of the audit and before the delivery you'll have to validate DCV challenges. In case of multi Sites certificates there is one DCV challenge for each FQDN. But to simplify the process, select the DCV HTTP.
How to validate all the challenges at once?
Download the text file (provided during the order) and save it in /var/www/html/:
scp 746249D5A7D846640E7AC178EBEE3DA8.txt root@xxxxxxx:/var/www/html/
Create an Apache Conf file to make this file available on every sites of the server:
echo "Alias /.well-known/pki-validation/746249D5A7D846640E7AC178EBEE3DA8.txt /var/www/html/746249D5A7D846640E7AC178EBEE3DA8.txt" >> /etc/apache2/conf.d/dcv.conf
Reload Apache:
service apache2 reload
Done! The robot will find all the files of the server.
Add, edit and suppress FQDNs
During your certificate lifetime, you may need to add, modify or suppress FQDNs from your certificate. You can do it via reissuance (free) directly from your certificate's status page. If your server allows resignature (as Apache) an ex CSR won't be necessary. You'll only have to modify the FQDNs list in the appropriate field.
Concerning the DCV challenge, you will need to download and place a new file on your server. Indeed, the DCV challenge must be unique for each certificate.
What to do in case of a CSR modification?
During a reissue or renewal, you will need to place a new .txt file, generated for the DCV validation, on your server.
You'll then have to save the new file in /var/www/html/ and to update the Apache conf file (procedure described above).