SSL Certificates and HTTPS Complete 101

In this blog post I have documented research on SSL certificates common questions answered below so you have the background knowledge of why you need to see that HTTPS. Also documented is how to install an SSL certificate on your website specifically those hosted on Amazon Web Services (AWS). My purpose for HTTPS is for adding a Secure SSL Certificate to Accept Stripe Payments 101 and below is some research notes on SSL/HTTPS/Certificates for this specific purpose also. I had some issues with getting SSL to work on mobile so thats documents below also.

SSL Report

Questions Answered in this research

  1. what is an SSL cert?
  2. how secure is an SSL cert?
  3. How does an ssl cert work?
  4. what exactly does SSL protect?
  5. why does Stripe require SSL for payments?
  6. does it need to be the entire site or just payment page?
  7. what are the SEO benefits to have an SSL cert?
  8. how much does an SSL cost?
  9. does the SSL cert expire?
  10. why do some sites use a subdomain for SSLs? ie –
  11. how to obtain an SSL cert for your domain?
  12. how to install an SSL cert on a linux server running apache?
  13. does SSL cert work on mobile browsers?
  14. what is the SSL POODLE security hole?
  15. how can you test your SSL cert is working with Stripe?
  16. why are some SSL certs so cheap?
  17. how do I get the green address bar?
  18. what is the $1,750,000 relying party warranty?
  19. Do I use HTTPS on local development or just external servers?
  20. what is a
  21. do you need to add https to your sitemaps?
  22. Do you need to register the https version of the site in google webmaster tools?
  23. should I make my whole site HTTPS or just the payments page?
  24. How would you set it up SSL for a single page or mutiple pages/sections of the site only?
  25. Does maxcdn support SSL?
  26. How to rewrite your urls to use https instead of http?
  27. other gotchas?

What is an SSL cert?
SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are mechanisms for safely transmitting data. Encrypt and verify the integrity of traffic between the browser and the server.

“SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details. When installed on a web server, it activates the padlock and the https protocol (over port 443) and allows secure connections from a web server to a browser.”

HTTPS (Hypertext Transfer Protocol Secure) is the combination of SSL/TLS and HTTP to secure communications between the browser and the server.

A certificate is a file normally issued by a certification authority (CA). The certificate assures other web users that they’re really communicating with the server they expect to be talking to, not an impostor. A certificate is needed in order to use SSL/TLS.

An SSL certificate contains the following information:
– The certificate holder’s name
– The certificate’s serial number and expiration date
– A copy of the certificate holder’s public key
– The digital signature of the certificate-issuing authority

How secure is an SSL cert?

It’s more secure. In particular, it significantly reduces your risk of being exposed to a man-in-the-middle attack.
Users correctly feel more comfortable sharing their payment information on pages visibly served over SSL. Your conversion rate is likely to be higher if your pages are served over SSL/TLS, too.

Why does Stripe require SSL for payments?

“Stripe forces HTTPS for all services”, “We use HSTS to ensure browsers interact with Stripe only over HTTPS.”

HTTP Strict Transport Security (HSTS) is a web security policy mechanism which is necessary to protect secure HTTPS websites against downgrade attacks, and which greatly simplifies protection against cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections,[1] and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797.

Stripe.js is served only over TLS.“, “All of our official libraries connect to Stripe’s servers over TLS and verify TLS certificates on each connection.”
Due to the POODLE security hole, Stripe no longer uses the SSL protocol.

How does an ssl cert work?

  • Your browser visits a website that uses SSL, such as a login page.
  • Your browser sends a request to the server, asking that it identifies itself. After all, before you give your information to someone, you want to know they’re someone you can trust.
  • The server sends your browser a copy of the SSL certificate it uses.
  • Your browser checks that certificate to see if it’s trustworthy, making sure it’s legitimate and that it hasn’t expired. If it checks out, it sends a reply to the server.
  • The server then sends an acknowledgement of trust and begins an encrypted session, as indicated by the lock icon, HTTPS URL, green taskbar or other signifier in use.
  • From this point forward, traffic between your browser and that webpage is encrypted.

What exactly does SSL protect?

It protects your site from man in the middle attacks by encrypting your data from front-end to the server and vice versa.

What are the SEO benefits to have an SSL cert?

This is to become another blog post coming soon.

Google Starts Giving A Ranking Boost To Secure HTTPS/SSL Sites

SEO considerations when moving from HTTP to HTTPS

How to obtain an SSL cert for your domain? and how much does an SSL cost?

Prices as at May 2016.

personal $11.69/yr
Essential SSL $37.65/yr – free site seal
Extended Validation green bar $188.27/yr

strong standard $175/yr
extended green bar $295/yr

personal $90.99/yr
organisation $127.99/yr
trust seal $23.99/yr

Secure $740/yr
Secure with EV $1,590/yr

Does the SSL cert expire?

Yes, the certificate will expire when you stop paying for it. So if you pay for only 1 year you need to do the whole install process again.

“Renewing a Certificate is considered as issuing a new one, since your organization still has to be verified with every renewal. Save the hassle to do it every year, with 2 Years or more Years Certificates.”

Why do some sites use a subdomain for SSLs? ie –

“why use secure subdomain for HTTPS?”
“benefit to using secure. subdomain for HTTPS?”
There doesn’t seem to be any benefit to this as what I can see is you can apply the SSL to the subdomain only and then use this subdomain to host the pages which you want secure.

How to install an SSL cert on a linux server running apache?

Bought of the cheapest SSL cert $9/yr.

  1. Generate CDR
  2. Select web server
  3. Submit digi cert order form
  4. Select approver/admin email
  5. Submit

Namecheap Instructions:

AWS Beanstalk Instructions:

AWS Bitnami Instructions:

Symantec Support:


Digital Certificate Order Form

Bitnami Apache Generate CSR

** first backup your original keys **

#create private key
sudo /opt/bitnami/common/bin/openssl genrsa -out /opt/bitnami/apache2/conf/server.key 2048

#create CSR
sudo /opt/bitnami/common/bin/openssl req -new -key /opt/bitnami/apache2/conf/server.key -out /opt/bitnami/apache2/conf/cert.csr

#copy out your CSR to send off for a certificate
cat /opt/bitnami/apache2/conf/cert.csr

#create temporary self signing cert
sudo /opt/bitnami/common/bin/openssl x509 -in /opt/bitnami/apache2/conf/cert.csr -out /opt/bitnami/apache2/conf/server.crt -req -signkey /opt/bitnami/apache2/conf/server.key -days 365


cat /opt/bitnami/apache2/conf/server.csr
cat /opt/bitnami/apache2/conf/server.key

Digital Certificate Order Form 2

bitnami 2

** Make sure you copied cert.csr not server.csr. **

Digital Certificate Order Form 3

** cant use gmail for email address ** …

** This happened because common name cannot be your name, it needs to be domain name, or sub domain where cert is being served **

bitnami 3


SSL Certificate Validation

Then within 24 hours.

SSL Certificate Validation 2

Unzipped certs.

unzipped certs

Create ca-bundle file
Creating your own bundle:

ca-bundle file

Join the 3 files.

ca-bundle file 2

Save as 4. Save newly created file as ‘’.

Add to bitnami/bitnami.conf
SSLCACertificateFile “/opt/bitnami/apache2/conf/COMODO_DV_SHA-256_bundle.crt”
(this is essentially a copy of your ca-bundle file saved as .crt)


[email protected]:/opt/bitnami/apache2/conf$ sudo /opt/bitnami/ restart apache
AH00526: Syntax error on line 58 of /opt/bitnami/apache2/conf/bitnami/bitnami.conf:
SSLCertificateFile: file ‘/opt/bitnami/apache2/conf/server.crt’ does not exist or is empty
apache config test fails, aborting
AH00526: Syntax error on line 58 of /opt/bitnami/apache2/conf/bitnami/bitnami.conf:
SSLCertificateFile: file ‘/opt/bitnami/apache2/conf/server.crt’ does not exist or is empty
apache config test fails, aborting
[email protected]:/opt/bitnami/apache2/conf$

rename server.crt to domain.crt.

Oh boy https is now showing phpinfo().

rename server

Change the conf document root and directory.

change the conf document root

Restart apache.

YAY it’s working.


Now we want everyone to start using https we can do this via apache conf for port :80.

document root

How to force HTTPS access?

If you only want to force this redirection for one of your applications (such as WordPress) then you will need to add this in theapplication configuration file for Apache.

It depends on your current Apache configuration but in most cases it should be enough to add the following lines in the default Apache virtual host configuration file. Edit the”/opt/bitnami/apache2/conf/bitnami/bitnami.conf” file and add the following recode into the section:

DocumentRoot “/opt/bitnami/apache2/htdocs”
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]

Enable non-www version of site.

virtual host

robots.txt (update it!)
User-agent: *

Do you need to add https to your sitemaps?

Does it matter at all?
“You can serve your sitemap in both versions, that won’t be any problem and won’t trigger the duplicate content issue. So you are safe both ways.”

Do you need to register the https version of the site in google webmaster tools?

No. Research says “I don’t think so”.
However, i’ve added it to Webmaster tools and it looks to have picked it up.

ngmodules 2

But Google says yes:

ngmodules 3

What is a

“Extract all of the contents of the ZIP file that was sent to you and copy/move them to your server. The extracted contents will typically be named: yourDomainName.crt and ”
“Note: If you received several .crt files in your ZIP file please use this article to make”–mod_ssl

Make a cs bundle from your certificates.

Does SSL cert work on mobile browsers?

– I just tried the site on my android galaxy 5 and it complained about security certificate not trusted. oh boy.

ssl cert work on mobile browsers

also iPad is complaining…. grrrr


Submitted support request

Hi, My new SSL Certificate not working on mobile or ipad.

I’ve tried on:
1. Samsung Galaxy 5
2. Ipad 4

Screenshots attached.

Any ideas why? Is it a setup issue?


What is the SSL POODLE security hole?

Poodle was a design flaw in SSL version 3.0 (October 2014). So now SSL 3.0 is evil and no longer being used.
“Starting today, new Stripe users will not be able to send API requests or receive webhooks using SSL 3.0.”
“On November 15, 2014, we will drop SSL 3.0 support entirely (including for Stripe.js and Checkout).”

how can you test your SSL cert is working with Stripe?
“We recommend using the SSL Server Test by Qualys SSL Labs to make sure you have everything set up in a secure way.”

Example test results

Some issues with certificate chain?

issues with certificate

Protocol is good, no SSL 3


Encryption is weak?

Encryption is weak

Sometime wrong with mobiles could be this!


RC4 in TLS is broken:

– “Start warning our users about RC4 weaknesses. RC4 is demonstrably broken and unsafe to use in TLS as currently implemented. The difficulty is that, for public web sites that need to support a wide user base, there is practically nothing 100% secure they can use to replace RC4. We now have no choice but to accept that, no matter what settings we use, some segment of the user base will be at risk.”

Mozilla SSL Configuration Generator

# intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on

What I currently have:

Upgraded it but didn’t make mobile work!

Although a retest shows the RC4 is gone.

SSL Certificate Compatibility on Mobile Devices

Because mobile devices (such as Windows Mobile, Blackberry, iPhone, and Symbian OS) are much more difficult to update than normal web browsers, many root certificates are only included in newer mobile devices. This is important to understand if you have users with older mobile devices. However, most major providers are compatible with the majority of mobile devices/cell phones. But if you need to support older devices, make sure to research your compatibility list of the certificate provider that you decide on using the links below.

Another tool:


SSL Cert

Support suggested:

Yet another tool:

Nice it shows you cert chain!

certificate chain

I’m missing in httpd.conf

SSLCACertificateFile “/ssl/bundle.crt”
so added to bitnami conf:
SSLCACertificateFile “/opt/bitnami/apache2/conf/COMODO_DV_SHA-256_bundle.crt”

And it worked! woo!

certificate chain 2

SSL Report

Why are some SSL certs so cheap?

This site even offers free SSL certs!
I guess the old saying “you get what you pay for!”.
Also it is stated that:
For the purposes of this discussion there are only a couple differences between web signing certificates:

  1. Extended vs standard validation (green bar).
  2. Number of bits in a certificate request (1024/2048/4096).
  3. Certificate chain.

How do I get the green address bar?

green address bar

I’ve seen some secure sites show a green address bar. Also known as High level trust indicator.


Do I use HTTPS on local development or just external servers?

“SSL HTTPS on local development tips” and what about WAMP?

Transfering certificates to git doesn’t work and you can’t manually FTP them either…

However if you FTP in upwards level from htdocs then you can upload.


Install Comodo certificates on Apache OpenSSL



Sites using SSL is on the Rise!
Gone up from 15,000 to 25,000 of top 1 million sites since 2014 – 2015.

SSL by default

Should I make my whole site HTTPS or just the payments page?

“HTTPS single page of entire site?”
“Just have SSL for logged in users?”

  • There are minimal overheads increase in protecting the whole site.
  • It takes a bit longer to have the handshake between the servers validate you into a secure connection.
  • It’s not just payments page you should consider but login pages also any other pages which have private data.

Common areas to consider:

  • Is there sensitive data on your whole site, or just on a finite set of pages?
  • Is it going to be easy to implement SSL on some pages, rather than all pages?
  • Are you dealing with any credit card data
  • Do you have users that log into your site & member pages with private data
  • Do you capture data through forms, what sort of data is it?

Pros of whole site SSL:

  1. Technically it is easier to setup
  2. Avoids confusion about which pages/routes are secure and which are not
  3. It’s more secure “Having SSL across your entire site limits the ability of phishers to pull off impersonation attacks on your site.”

Cons of whole site SSL:

  1. Server overhead increased
  2. CDN may face challenges with HTTPS
  3. Subdomains need their own certificate (or you can get a wildcard SSL certificate) ” A single certificate, called a wildcard certificate, solves this problem, except it doesn’t work for the simple “
  4. There may be problems with Ad networks (similar to that of the CDN)
  5. Some SEO tools may be restricted access by HTTPS

“The common recommendation is to use SSL for the parts of your site that necessarily need security. Login pages, sensitive submission forms and other such traffic needs to be encrypted, so you need at least that basic level of SSL use.”

How would you set it up SSL for a single page or mutiple pages/sections of the site only?

“apache openSSL specific page”

/account (dash/logged in areas)
/account (subscribe)
/account/subscribe (subscription payment routes)
/account/updatePaymentMethod (subscription payment routes)
/admin (logged in areas)

Laravel 5 support for SSL
– this is using routes middleware only and should probably be done at the server level.

Soes maxcdn support SSL?
Short answer: yes.


How to rewrite your urls to use https instead of http?

Redirect to a www version.

OR if you prefer to redirect to a non-www version.


Other SSL gotchas!

“For each of your pages, make sure all included resources (JavaScript, CSS, images etc.) are being served over SSL/TLS. Not doing this results in the infamous mixed content warning.”
“If you’re using Stripe’s webhooks, it’s worth having an SSL/TLS endpoint to avoid traffic being intercepted (card numbers are never sent with webhooks, though).”

“the hosting company must allow installation of third-party certificates.”

“All SSL certificates are now being signed with the SHA-2 hashing algorithm, because SHA-1 is considered insecure and its support will soon be fully deprecated.”

RSS – “FeedBurner isn’t compatible with HTTPS.”

Social Share counts are sometimes lost, and sometimes social networks transfer them over.

You need to open the HTTPS 443 security group on AWS.

open the https

– (Optional) Force HTTPS in wp-config using FORCE_SSL_ADMIN:

Now I’m not able to connect to phpmyadmin through AWS terminal using pem key.
pem key

Says connection refused.

webpage not available

“Note: Editing existing server.keys, and other cert files will break access to phpmyadmin (e.g.”

Oh boy… lucky I backed up the originals!

bitnami root 2

But I have now overwritten the servers CSR!!!
It seems you might be able to regenerate it, but only if you still have the original server.key. Doh.

Re-issued cert.

SSL cert 2

We’re back baby!

ngmodules 4

If you try 443 instead of 80

ssh -N -L 8888: -i ngmodules.pem [email protected]

bad request

BUT if you add https://localhost:8888/phpmyadmin it works!!! Voila!

connection not private

myphp admin

Another gotcha is if you have any social logins you need to update the app callback urls to be https.

authorization callback url

Another gotcha is that Google may “unindex” all of your pages.
“switching to https google unindexed my pages”
As I found out in Google Webmaster tools.
ngmodules 5

However now the www. version is now indexed… wtf?

ngmodules 6

Even though my site settings is still non-www preferred.

site settings

Another gotcha is when your trying to verify ALL versions of the domain in Webmaster tools.
If you have a redirect to the www. or https versions you are unable to verify the non-www version.

Just click alternative methods and upload the HTML to verify that way.

Example SSL Seals.

ssl example seal 1


digicert 2

Hi Stuart, why did you give this example in the Graph? “(N.B. this was a standard migration and not a HTTP to HTTPS migration, however the move is essentially the same and as you can see, this particular website hasn’t yet fully recovered):” Is this not misleading? Also you failed to mention that some SEO tools may be restricted by using HTTPS and similar with some CDN and Ad Networks. Also you didn’t mention site speed is also affected by the switch to HTTPS (although it may be a minor increase it’s still worth mentioning response times and server overheads). There is also other things you need to consider like do you have subdomains? They require extra certificates, you can get wildcard certs but they don’t work for the simple There is also heaps of other things that are worth mentioning including Feedburners lack of support for HTTPS, Social share counts being affected or reset, and hosting companies not providing support for third-party certificates.

Thanks for reading, questions welcomed!

Categories: SSL
Sam Deering is a web developer from England (currently living in Australia). In his spare time he enjoys coding, playing chess, reading and investing.

Leave a Reply

Your email address will not be published. Required fields are marked *