What happened to certificates?
We implemented an automatic certificate system for Pressero. Any Pressero site whatsoever can now get a valid certificate, within one business day. This will replace our system of mixed single or wildcard certificates.
What are the advantages?
- The certificates are obtained automatically by the system.
- No communication with support, or emailing back and forth, is required.
- If you add or delete https domains, a new certificate is obtained within one business day.
- If you do not make any changes, your certificates are good for 90 days, and the system will automatically renew them after 60 days, a month before they expire.
- Any site marked for https will be covered by a certificate, even if there are multiple segments before the base domain. For example, www.my.site.company.com can be covered just as easily as site.company.com. Wildcards were only able to handle one segment before the base domain.
- This even includes sites using your temporary domains, like www.mycompany.chi.v6.pressero.com. You will be able to use https with such sites (even when they have multiple segments) and use secure payment methods with them.
What should I be aware of?
- There is no longer a need for wildcard certificates. The system acquires certificates that cover a specific list of domains. So it will acquire a new certificate every time you change your list of https domains.
- Only sites marked for https will be covered by a certificate. Previously, if you had a wildcard certificate, you could access https://site.company.com even if site.company.com was not marked for https. Going forward, every site you want to use with https must be marked as https before a certificate can be obtained for it.
- Every site you intend to use with https must be viewable as a Pressero site before a certificate can be obtained for it.
- Your domains should have DNS set to use the current Pressero IP addresses:
- 22.214.171.124 aka chi.v6.pressero.com (Chicago v6 only)
- These can be either A records or CNAME records
- Domains on the Amsterdam or Singapore Pressero servers do not need to change; they are already using the correct IP addresses.
- Some of your older sites may currently have DNS pointing to older IP addresses, such as 126.96.36.199, or a CNAME to server10.pressero.com. These DNS entries should be changed to the new IPs, as shown above.
- There will be a delay between you marking the site as https, and the certificate being obtained. While we are trying to keep this delay to a minimum, in the beginning it may be as much as one business day.
- Thus, for domains that do not yet have a certificate, you should set the HTTPS checkbox for that new domain, but not set “Redirect to primary domain” for the site. If you did both, then users would be redirected to HTTPS before the certificate was obtained, and they would see a security error in their browser.
- Once you have tested your domain successfully with https, you may set “Redirect to primary domain” for the site.
- If you have several sites all covered by https, they will be combined into one certificate. If you have over 100 sites, they will be grouped into several certificates.
- When you view the certificate details in your browser, it may appear that the certificate is meant for a different site than you are now viewing. Yet the browser accepts the certificate as secure.
- This is because a certificate can only name one primary DNS domain (the "Common Name (CN)" but can name up to 99 additional domains (the "Subject Alternative Name" section).
- For example, if you have aaa.mysite.com, bbb.mysite.com and ccc.mysite.com, all marked for https within Pressero, a single certificate will be retrieved that covers all three of them. When you view the Certificate Details, on the General tab you will see Issued To: Common Name (CN) aaa.mysite.com, no matter whether you are viewing aaa or bbb or ccc. But if you go to the Details tab and then move to the Subject Alternative Name section, you will see all three listed: DNS Name=aaa.mysite.com, DNS Name=bbb.mysite.com, DNS Name=ccc.mysite.com. And the browser will report all three sites as secure.
Are the certificates secure?
The new certificates obtained by this system are issued by Let’s Encrypt
, an automated Certificate Authority, run by the non-profit Internet Security Research Group (ISRG
). Its root certificates are cross-signed by IdenTrust
, another large (commercial) Certificate Authority. The certificates are just as secure as the certificates we had been obtaining from Globalsign
. They are recognized in all browsers, including mobile browsers.
These certificates are often referred to as SSL certificates. They should really be called site certificates. SSL is actually an obsolete and insecure protocol, which has been replaced by TLS
. We use the most modern and secure version of the protocol, TLS 1.2.
When will the switchover take place?
Some domains are already using the new certificates. We will be generating new certificates for all https-marked domains and installing them as of Jan 1, 2017. As of Feb 1, 2017, we will remove all wildcard certificates in our system, relying only on the new certificate system.