SSLs — What to do When Your Connection is Not Secure
If you’re a website manager and you’ve run into the dreaded “This connection is not private”, this should be a bookmarked guide of “What To Do” for you.
An SSL (secure sockets layer) certificate is a certificate that verifies that a website has been approved as real and that the company running the website exists, as well as keeps information secure.
SSL certificates are important because they indicate to users that a site is legitimate and safe, and that any information going back and forth (such as passwords, credit cards, or forms) is encrypted and protected. This keeps information private, decreases user vulnerability, and gives a user the feeling of security and trust.
Unfortunately, SSL certificates expire — and when they do, things can look nasty. When an SSL certificate goes down, it pulls up a large page warning users: “This Connection Is Not Private. This website may be impersonating “websiteURLhere” to steal your personal or financial information. You should go back to the previous page”. Since this message is a nuisance at best, and damaging to brand reputation and customer trust at not-so-best, it’s ideal to update your SSL immediately once it has expired.
What to do when your SSL is down:
- 1 day (including wait time!)
- Your domain name / URL
- Your host name and account number (optional)
- A friend (or even anyone) with web development and coding experience
.iStep 1: Confirm that your SSL certificate is the reason you’re having issues
Before hopping into the “renew my SSL certificate ASAP” boat, you want to make sure your SSL certificate is the root of your issue. A quick way to do this is by checking your URL; if your SSL certificate is expired, it will read “http://” as opposed to “https://” (the “s” simply indicates if a site is secure or not). Alternatively, check to the left of your url — if your SSL is good to go, there should be a green padlock icon present.
Another way to check if your SSL is up to date is to get an analysis of your SSL certificate. We recommend using ssllabs.com to do this. ssllabs.com is a website that analyzes your SSL certificate: it grades your SSL certificate and gives a breakdown of its functionality, expiration, and configuration stats.
To check the state of your SSL:
1. Go to https://www.ssllabs.com/ and click on “test your server” in the upper right side of the page.
SSL Labs is a free website and tool that can be used to analyze your server and SSL certificate (in this case, we will use apple.com as our example test URL).
2. Clicking “test your server” will take you to the SSL Server Test page, where you enter the domain name of the site you’d like to test into the “Hostname” box and submit.
Submitting will then take you to a page showing the server or servers that are being used with your domain name/ URL.
3. Click on the hyperlinked server that you’d like to see a report for.
Clicking will take you to your “SSL Certificate grade (apple.com has a few servers, so in our case we clicked on the top link, as it was the only one ready for us to look at its review (the other links were in progress for review, and pending review).
Note: in some cases, there is only one server, and so ssllabs will take you directly to your grade, and not this page.
Step 2: Obtain a new SSL
If your SSL Certificate is expired, the clear thing that you need to do is renew it. Depending on who’s hosting your site, this can often be done by your website host — the best way to see if your host deals with expired SSL certificates is to get in contact with your account representative. If “renewing SSL certificates” falls under your host’s services, they will take care of the rest for you.
If your host does not include SSL certificate renewal as a service, or you decide to renew it yourself, you’re going to need to buy a new SSL certificate on your own (step 3).
Step 3: Purchase a new SSL Certificate:
1. Identify which vendor you’d like to purchase an SSL certificate from.
Many of our clients choose to go with the same vendor they used for their last SSL — something that can be found under “Issuer” in the server test from Step 1. Other clients like to do research by asking peers or looking online to find a new vendor.
2. Apply for a CSR (Certificate Signing Request). A CSR is essentially a request to apply for an SSL Certificate.
Applications are done online, are simple, and are free — many SSL Certificate vendors offer this service, but if not, you can find plenty of good online CSR providers through a quick “CSR provider” google search.
The CSR application will ask for a bunch of information such as “domain name”, “location”, “public key” and more. This information can all be found from the server test from Step 1.
3. Once you have your CSR you submit your CSR to your SSL Certificate vendor of choice.
The CSR should look something like:
–— BEGIN CERTIFICATE REQUEST–—
followed by a bunch of letters and numbers, followed by
–— END CERTIFICATE REQUEST–—
4. Your SSL certificate vendor will then take the CSR information and create an SSL certificate.
Step 4: Install the SSL certificate
This part is a simple handoff. To install the SSL certificate, a web developer will take the information from the SSL vendor, and add it in to your website code. That’s it- after that you are all set.
If you’re not a developer, and you don’t have any web developers on your team, we would recommend asking your host to help you do this, or to find a web development agency that can help. Many web teams, including our own team at Isovera, can quickly add in the SSL certificate, and get your website right back up and secure.
Helpful Hints for Next Time:
As great as learning what to do when your SSL certificate goes down, it is far greater to prevent the panic of having it expire. Below are a few helpful hints about SSL certificates
- Different SSL certificates have different expiration dates- we recommend choosing an expiration of 3 years so that you don’t have to deal with renewal annually, but it’s not so far out that no one remembers what to do when an SSL certificate is headed to expiration.
- Add an SSL reminder to a company-wide calendar — since factors such as days off, employee turnover, or even busy lives make it easy to forget about SSL certificates, add a company calendar reminder so that everyone is aware of expiration dates.
- Keep the contact info of SSL vendor, or ssllabs.com on hand — if you don’t know your SSL certificate expiry date, no sweat- your vendor or ssllabs will. Keep a record of your vendor of choice so that you can easily determine when you’re up for expiration.
- Make sure your SSL vendor has active contact information for you — many vendors allow for certificate renewal anywhere from 30–90 days before expiration, and will send expiration reminders. Check that your vendor has updated contact information, and that you have opted in for reminder emails. This can help you avoid surprise expirations, as well as allow you to get a jumpstart on the renewal process.