Padlocks and certificates.
Everyone wants that padlock in the address bar. Why? Google told them they do. I’m joking (kind of).
Generally speaking, it’s a good thing to have the padlock in the address bar, simply because it instills a sense of legitimacy and trust in site visitors.
Padlocks and certificates are two different things, you need a certificate to be able to get the padlock in the address bar. So padlocks and certificates are related to each other, but are different in their own right.
If you don’t want to read all of the information below and just want to know how to install a certificate, you can skip to this by clicking here.
What the padlock means.
The presence of a padlock in the browser’s address bar indicates that the connection between your computer and the website you’re looking at is encrypted. This means that if the data between the two are intercepted by a 3rd party, it would look like nonsense to them.
This makes it VERY difficult for any information sent between your computer and the web server (where the site is held) to be obtained in any usable manner. I say “very difficult” as it is possible to decrypt data that’s been encrypted, it just takes a very long time (longer than you or I will live for), unless using a lot of computing power.
Why you need the padlock.
If you’re running an online shop, people will make purchases by entering their card details in to their browser.
These card details get sent over the internet to your site for their payment to be processed.
If the padlock isn’t in place on the site, the card details sent from the browser aren’t encrypted. If this card information isn’t encrypted it could be obtained, then used to buy things with the card. The padlock effectively stops this being possible.
If you’re not running an online shop you might be reading this thinking why do I need a padlocks and certificates? If you have have a contact form on your site, information is sent from the browser to the web server when people use this. No padlock means that any information entered in to the contact form and sent to your site could be obtained and used.
OK, a contact form is generally used to communicate email addresses, telephone numbers and words, which isn’t as bad as card details being obtained. Then again, what do spammers do with email addresses?
If your site has any aspect of people submitting information to it in any way, it’s strongly advisable to have the padlock. If you log in to your site to make changes to it (which you do with WordPress) you’d be best to have the padlock.
The padlock has become prevalent. A lack of padlock can also affect how search engines rank your site. A padlock instills a general feeling of legitimacy and trust, as well as what I’ve mentioned above. Get the padlock.
How certificates relate to padlocks.
The short version:
You need a certificate for a padlock to be possible.
The long version:
A certificate is a digital file that binds together a public key (think of a key as big number, just for simplicity’s sake) with some other identifying information, in this case a website’s domain name. When you visit a website that uses a security certificate, your browser will verify the certificate and display a padlock icon in the address bar.
There’s a kind of “conversation” between a browser and the web server that hosts the site that has to take place before the padlock is displayed. This is called the HTTPS handshake, and these are the steps involved in that conversation:
- The browser sends a message to the server, requesting a secure connection.
- The server sends a message back to the browser, containing its certificate.
- The browser verifies the certificate, ensuring that it is valid and belongs to the intended server.
- The browser generates a random symmetric key and encrypts it with the server’s public key (a number being encrypted using another number).
- The browser sends the encrypted key to the server.
- The server decrypts the key using its private key.
- The server and the browser agree on a session key, which is a randomly generated key (another huuuuge number) that will be used to encrypt all subsequent communication between the browser and the server.
- The browser and the server begin exchanging data, using the session key to encrypt the data, displaying the padlock when doing so.
So, what all this really means is that you NEED a certificate to be able to get the padlock. It’s the “using one huge number with another huge number” that makes encryption hard to break. One of these numbers is random, which again, makes the encryption “sum” very hard to work out.
Just having a certificate doesn’t mean a padlock will suddenly appear of it’s own accord. The site needs to be set up, or written to make use of the certificate, and therefore, for the padlock to be displayed.
WordPress has what’s called it’s own URL rewriting mechanism. This is based on what you define as the site’s address when you set it up.
If you set up your site using https://mysite.com even if someone browses to http://mysite.com (note the lack of s in the latter – no s = no encryption = no padlock) WordPress will redirect the browser to https://mysite.com .
It’s due to this that it’s best to start off with https://mysite.com, rather than http://mysite.com, but that means you’ll need a certificate BEFORE installing WordPress. That’s why, if you’re reading these posts in chronological order, this post comes before the post covering installing WordPress.
If you don’t set your site up using https://mysite.com it’s not the end of the world. Plugins can be used to make it https://mysite.com later.
How to check for a certificate.
It’s possible that your hosting provider might have automatically installed a certificate for you already.
There are look up tools you can use to check to see if you have a certificate, just run your domain through the tool and generally speaking:
Green = Certificate:
SSL Shopper’s SSL check tool is very straight forward to use. You just run your domain through it. Here’s mine:
If you see the same green ticks when you do the same, you’ve got a certificate and you don’t need to get one.
If you’re not seeing the green ticks, but instead see warnings, you don’t have a certificate and are going to need to install one.
Installing a certificate.
Using cPanel means there will usually be an automated certificate installer. This is called AutoSSL, and you use the “SSL / TLS Status” facility in your cPanel to use AutoSSL to install a certificate.
When you log in to cPanel, you’ll see a page covered in icons. In the “Search Tools” box up at the top you can type things and a menu will appear below according to what you type. In the “Search Tools” box type:
Then click on “SSL / TLS Status”, like this:
The click the “Run Auto SSL” button, like this:
You’ll then have to wait a few minutes while AutoSSL installs the certificate. This can take a bit of time, as the domain control process needs to take place, then the issuing certificate authority needs to provide the certificate, then it gets installed, then the web server restarts.
The domain control validation process is essentially the issuing certificate authority checking that the domain is controlled by the party requesting the certificate.
The server your site is hosted on has to prove that the domain for which the certificate being requested is held on it. It will either do this using DNS records, or by putting a verification file in your hosting account, then letting the issuing certificate authority know where the “proof” is. The issuing certificate authority then checks for the proof, and if it find it you get a certificate.
If you want to check the certificate has been installed OK, SSL Shopper’s SSL check tool can be used to do this.
Certificates installed using AutoSSL should also automatically renew in the future.
AutoSSL is part of the cPanel hosting platform and it’s built in by default, for free. If you’re hosted with a provider charging you for certificates, they’re charging you for something that has no cost for them.
So there you go. Padlocks and certificates.
But what if AutoSSL doesn’t work?
If your domain doesn’t resolve, or point, to your hosting then the process outlined above will fail, and you’ll need to “point” your domain to your hosting to address this, and be able to install a certificate.
Generally speaking, if you’ve bought your domain and hosting from the same company, this will have already been done, but if you purchased your domain and hosting from different companies, you’ll either need to:
Change the nameservers held against the domain to those of your hosting provider, or point just your website’s address to the server where your site is held using DNS records. How you’d do this varies between providers (there’s not always a common interface) and which you should do depends how you’re operating (if you have your site held with one party and your emails held with another, for example).