SSL Certificates and HTTPS – A Guide to Proper Installation and Configuration

A SSL Certificate, or Secure Sockets Layer, is that thing that can turn your browser green. This neat little thing validates the website is real and hasn’t been tampered and can load over HTTPS. HTTPS, or HyperText Transfer Protocol Secure is what creates creates the secure and encrypted connection between your browser and the website. This is applicable for apps as well, although you probably won’t see an indicator if traffic is secure or not.

SSL Certificate Example

Fun fact: Many years ago, I used to sit at coffee shops with a WiFi sniffing device and watch what people were browsing. I could see websites, logins, e-mails, and pretty much anything else being transmitted. SSL stops punks like me from seeing what you’re doing.

ssl encryption wifi hackingSSL is a requirement for anyone selling something (PCI compliance) or collecting personal information. There has been a huge push across the web for every website to use SSL, whether or not they are legally required to. Google has had the biggest influence, by bringing the presence of a SSL certificate into one of their search ranking factors.

Choosing a SSL Certificate

Not all SSL certificates are created equal. There are three types of certificates you can purchase, depending on your website needs.

Domain Validation SSL: Anyone can buy this and begin using it immediately. No information on the certificate owner is validated.

Applicable for blogs like this one and personal websites. Purchase for $10/year.

Organization Validation SSL: Online validation is performed on your business. The SSL provider checks records that you have registered your business with the government. If they can’t automatically validate, you must provide official documentation.

Applicable for businesses or websites that collect information or have logins. Purchase for $40/year.

Extended Validation SSL: Validation of your business as a legal entity. The biggest feature is the placement of the business or organization name in the address bar in front of the https.

Applicable for websites taking credit cards, collecting personal information, or have a large brand. Purchase for $90/year.

ssl extended validation address bar
Extended Validation SSL Certificate

Buying and Obtaining SSL Certificates

Linked above – Namecheap is my go to for purchasing SSL certificates. However, it is perfectly possible to get a certificate for free. Many web hosting companies now offer a free SSL certificate. You can also get SSL through services like Let’s Encrypt or Cloudflare.

So what’s the catch with the free certificates? These are shared SSL certificates, comparable to Domain Validated Certificates. The shared SSL certificates are installed on the web hosting server for all of their clients to use. If you are a business, you are probably better off getting a private certificate only you use.

Free SSL certificates have had their own impact on the marketplace, from the direct SSL vendors to third party sellers. I reached out to Evan from H4Y Technologies LLC / iWF Hosting, a smaller hosting company renowned for their superior support and reliability.

“The impact is pretty obvious and immediate to us. We sell fewer commercial SSL certificates now and we have more requests to setup the free certificates and support them. So, we are essentially working harder for less income. However, recent automation options have simplified things a bit and the bottom line is that it adds security, which is always a plus. I can’t say that as a hosting company we were getting rich selling SSL certs beforehand, so I prefer hands down to have clients who are using more encryption and are utilizing the best possible security practices. The clients who didn’t want to pay for security are now able to be secure for free!”

Despite the loss in revenue, reputable hosting companies recognize the importance of their customers’ websites security.

Configuring SSL Certificates

Most people are using the default setup for their SSL certificates. This is a blind assumption, and it turns out ahrefs did a pretty cool study on the top 10,000 websites which backs up my assumption. The graphic below gives you a pretty good breakdown on the study, but feel free to click the link to get super in-depth. More on fixing the SSL and HTTPS settings below.

ssl ahrefs study

Setting 301 Redirects for HTTPS / SSL

As noted by ahrefs, most websites with SSL certificates either had no redirect or were using a temporary redirect.

  • A 302 redirect means a page has temporarily moved to a new URL.
  • A 301 redirect means that the page has permanently moved to a new URL.

Once a SSL certificate has been installed, you want to permanently redirect visitors to the https versions of the pages. Depending on your server, web host, and website configuration, there are a few ways to do this.

Once you’ve completed a proper 301 redirect configuration, you’ve taken care of the low hanging fruit for SSL issues.

Nginx 301 Redirects

Setup HTTPS on Nginx – config code courtesy of Bjørn Johansen

Redirect all HTTP traffic to HTTPS in Nginx config:

server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        ssl_certificate /etc/nginx/cert/bjornjohansen.no.certchain.crt;
        ssl_certificate_key /etc/nginx/cert/bjornjohansen.no.key;

        ssl_session_cache shared:SSL:20m;
        ssl_session_timeout 60m;

        ssl_prefer_server_ciphers on;

        ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

        ssl_dhparam /etc/nginx/cert/dhparam.pem;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/nginx/cert/trustchain.crt;
        resolver 8.8.8.8 8.8.4.4;

        #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        add_header Strict-Transport-Security "max-age=31536000" always;

        # Rest of your regular config goes here:
        # […]
}

Apache 301 Redirects

Backup and load httpd.conf.

Check mod_rewrite.so module is enabled:

LoadModule rewrite_module modules/mod_rewrite.so

If you see the above line is commented  out then uncomment it.

Add the following code at the end of the file:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Restart Apache web server and test website.

.htaccess and Shared Hosting 301 Redirects

Add the following code to your .htaccess file:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^(.*)$ https://your-domain.com/$1 [R=301]
</IfModule>

WordPress 301 Redirects

Instead of editing the htaccess file using the above method, download and install the Really Simple SSL plugin.

Go to the settings page and check Enable WordPress 301 redirection to SSL.

This ensures you don’t create additional conflicts with existing redirects in your htaccess.

Diagnosing and Fixing the Broken Padlock for SSL

ssl navigation bar with errors

If your website is loading with an exclamation mark, yellow triangle, or broken padlock, that means something on your website is being loaded without https. This is usually either an image or a script.

An easy way to figure out which image or script is to use the console function in Google Chrome. The error will look something like this:

google chrome console ssl errorServer Configuration for SSL

Check these websites for your ssl config:

You are probably noticing a big difference – unless you or your network administrator absolutely rock.

PCI Compliance with SSL Certificates

For the most part, following the guidelines Observatory displays will ensure the SSL portion of your website meets PCI compliance.

Evan from provides further insight on what is reasonable to expect from a hosting company out of the box without further customizations.

“We do ensure that insecure protocols are disabled during our initial server hardening. We also shut off many of the software advertisements of version #s, etc, all PCI Compliance issues. Otherwise, it is quite dependent on the client. Most of the default settings we leave with the client are acceptable given most hosting server security standards. PCI Compliance and many other compliance standards go many steps beyond that.”

-Evan, H4Y Technologies LLC / iWF Hosting

mk

4 Comments
  1. I appreciate your write up on SSL Certificates. I was forced to learn about them a month ago when I had an installation go bad with Hostgator. After misery for three weeks, I left Hostgator for SiteGround and all is well in my world again.

  2. I have read somewhere that SSL and AMP are the next thing for SEO ranking. Luckily, I am with SiteGround and I set it up with one click ! Thank you for sharing all the knowledge.

Leave a Reply

Your email address will not be published.