Welcome, Guest. [ Log In ]
Question   Setting up your secure server.
Search KBase


Related Links:
· Is it possible to use a secure server with DreamHost?

Top 5 in this Area:
1. Setting up your secure server.
2. How do I get my free Secure Server (Level 4 hosting plan only)?
3. Is it possible to use a secure server with DreamHost?
4. Do any DreamHost plans come with a secure server?
5. What is a secure server?

 
Setting up your secure server.
I signed up for the Strictly Business plan, which comes with the secure server feature. What is a secure server, and how do I get it set up?

A secure server encrypts information sent from a visitor to your site.

If your site processes information submitted by cgi, you may wish to use the secure server feature to encrypt that information en route. For example, if a page on your site takes ordering information (like credit card numbers), your customers may be more comfortable submitting information if they know that it cannot be snooped on while in transit.

Is Formmail also covered by the secure server?

Unfortunately formmail is not covered by the secure server. The reason is because formmail uses the sendmail protocal while the secure server encrypts everything passed through https. It is suggested to use PGP with formmail.

Who Needs A Secure Server?

Generally, you only need a secure server if your site requests sensitive information from its visitors (credit card numbers, social security numbers, etc). Your site probably doesn't need to use the secure server feature if there is no interaction with your visitors.

What Secure Server Options Do I Have?

To set up a secure server, you need to get a certificate from any Certification Authority (CA). There are many to choose from. We currently recommend GeoTrust.com but you can also get certificates from any other CA such as Thawte.com, Verisign.com, or InstantSSL.com.
This certificate allows you to have your secure server directory appear at a URL in the following form:

https://secure.yourdomain.com/ (notice the 's' in https)

Each CA has a different ordering process. We'll be giving information based on GeoTrust.com's ordering process. To get a certificate from GeoTrust they ask for a certificate signing request or CSR. The CSR holds important information that matches with the private KEY it is created from. That information is then used to create the certificate. KEY/CSR generation costs just $10 through the DreamHost panel, or you can do it on your own if you have openssl installed on a machine you use. Strictly business now comes with one free certificate that we buy for you. (All renewals are paid for while you are hosted with us!)
****You can use certificates from other trusted authorites such as Verisign, but we are most comfortable working with GeoTrust.****

If you do not wish to upgrade to the Strictly Business plan, you can still add a secure server to your current plan.

The cost is actually for an ip add-on plan which is $15 setup fee and $4.95/month. (plus the cost of your certificate). A year prepay will get the setup fee waived. The ip add-on is purchased through the Billing:Services area of the web panel. Just click on the parent plan that owns the domain (ie. Crazy Domain Insane, Code Monster, Strictly Business) then there is an option to add the IP.

How To Get Set Up With Your Own Certificate

In order to get set up with your own certificate you need to first add an ip to the domain to be secure. Then just click on the add services button from Domain::Manage , then click to add secure service, or just click add "https" service from Domain::Web. This will then take you through a secure certificate request wizard which will ask you for the info needed to make the CSR and KEY. Following the directions in the Goodies::Secure Server panel you will be given your CSR (certificate signing request) which is used to request a certificate from GeoTrust.com. Some info you may need to know if you don't use our automatic CSR/KEY generation panel is that our web server software is Apache-ModSSL, Apache-SSL will also still work, but ModSSL is the official one. Make sure that you only go through this panel once or you will completely delete the CSR and KEY that were on file. If you go through the process twice then you need to make sure that you use the last CSR you received or else your CRT won't match your KEY which will cause problems and possibly lead to you having to buy a second certificate.
Once the process of going through the panel is almost finished, you will see a series of numbers and letters - this is your Certificate Signing Request code (which you should make a backup of). You will need to visit GeoTrust's signup page at:

https://products.geotrust.com/ssl/quickssl.do (this is for QuickSSL for $119, Strictly Business customers get QuickSSL Premium certificates which retail at $159)
Here's the list of products that GeoTrust has to offer: http://geotrust.com/web_security/index.htm

...and submit this along with the other information that GeoTrust requests. Fill out the entire form, making sure to completely read the instructions that GeoTrust provides.
****Don't forget to click continue on the page where you get your CSR on the DreamHost panel, this will set up a test certificate for you which will allow you to test your site securely before your certificate arrives.****

Once your certificate arrives you will get an email from GeoTrust giving you a url to approve your certificate from. That approval email is sent to an email address you choose in the GeoTrust ordering process. After you approve the certificate you will then be email the certificate, which is just code that looks similar to the CSR. Log into the DreamHost panel. From here you just need to edit "https" service for the domain you want secure. On the following page you will just need to update your certificate since the key that is already securely on file will be used. You should get a message saying the certificate was successfully installed. For faster SSL service you should then contact techsupport and ask them to restart your webserver so that your SSL certificate will work immediately.

If you want DreamHost to install the certificate you will need to use us as your technical contact. The information you will use is as follows:
First Name: SSL
Last Name: Support
phone number: 213-947-1032
email address: ssl@dreamhost.com

Last updated: Sep 23, 2005.

User Post (2005-12-30 16:46:27 by scooterso)
if i have a CSR generated by another program, but dont have a RSA, how can I sign up at Dreamhost? where can i get a RSA from?
User Post (2005-11-12 18:04:30 by cgtyoder)
Why pay for an SSL cert at all? I got mine free from cert.startcom.org. (You still have to pay $20 for Class 2 Cert.) Now I have to decide if I want to shell out $60/year for a "unique IP addr." Is there a way to get at my apache config files without going through the "unique IP" setup?
User Post (2005-09-26 10:53:39 by gilsson)
For anyone trying to create their own CSR using openSSL, it's really quite easy.

SSH or Telnet into your dreamhost account and execute these two commands:
1: openssl genrsa -out privkey.pem 2048 (which generates your private key for your certification request, no password included because it's a bad idea on dreamhost)
2: openssl req -new -key privkey.pem -out cert.csr (which takes your private key [stored in privkey.pem by the first command] and generates a certification request, stored in cert.csr)

Then just take your cert.csr file to your local friendly certification authority and get your certificate.

Please note from the above documentation: Some info you may need to know if you don't use our automatic CSR/KEY generation panel is that our web server software is Apache-ModSSL, Apache-SSL will also still work, but ModSSL is the official one.

For more information, see:
http://www.openssl.org/docs/HOWTO/keys.txt
http://www.openssl.org/docs/HOWTO/certificates.txt
User Post (2005-06-04 07:17:51 by eldudebrothers)
RapidSSL and GeoTrust resellers: www.SSL247.com - single root install certs from $30, and GeoTrust certs for LESS than GeoTrust themselves sell at.
User Post (2005-04-22 13:54:40 by pnelson)
As an answer to the question above:

Yes, I created my own CSR and private key using OpenSSL. My suggestion to you is that you DO NOT .... *DO NOT* ... password protect your private key if you want your certificate to work with DreamHost.

I paid around $169 for a certificate at GeoTrust and followed their instructions exactly on creating a CSR. DreamHost *didn't* indicate that the following error would occur once I had a valid certificate and private key to submit on my control panel if I had used a password with my private key (like any sane individual would):

error: private key can not be password protected.

There you have it. That's how Dreamhost will get you to pay them an extra $10. Otherwise, you'll suffer from being misinformed. Until now...
User Post (2005-02-11 15:05:00 by birwin)
A better web site for comparing certs is http://www.sslassistant.com. They are not associated with any CA Authority.
User Post (2004-07-14 09:25:06 by birdsong-org)
There is a newly formed (mid 2004) FREE Certificate Authority.
See: http://www.cacert.org

User Post (2004-03-31 13:17:41 by cpwr49)
If you want to go with GeoTrust, here is a way to save some money. First go to www.freessl.com and buy their $5. 30 day certificate and install it. Then sign up for QuickSSL at GeoTrust, and they will treat your new order as a renewal for $129 for 14 months instead of $159 for 12 months. Humm, maybe I should have read the above as the reason I went to GeoTrust is that I was getting a trust warning with freessl and I should have asked DH if there was anything they could do about it first.
User Post (2004-01-24 17:45:41 by acerath)
Pls take a look at the following website before anything.

http://www.sslreview.com/

I think its the most informative so far.
User Post (2003-12-30 20:09:00 by ctss)
Make sure that the email program that you use to receive your certificate DOES NOT REMOVE EXTRA LINE BREAKS (like Outlook) when you get your new certificate. The certificate MUST be EXACTLY as it was sent to you, and what Outlook considers "extra" line breaks are a required part of your certificate. Thanks Jeff for pointing me in the right direction!

If it does strip out the extra line breaks, you should be able to get a look at the unadulterated certificate (in Outlook, you just click where it says to replace the "extra" line breaks). This will get you the actual certificate, and the web panel will not have any trouble with it.
User Post (2003-12-10 14:45:11 by sc0tt)
Be aware that www.whichssl.com is owned by Comodo, so don't expect it to be unbiased. That being said, I got my certificate through comodo and have been happy with it. Looks like the best deals out there are with comodo and freessl.com. Both have certs less than $50 a year.
User Post (2003-03-06 17:31:35 by seiler)
I went with InstantSSL.com -- great deal. When I first installed it, there was a trust-warning, because DH had to install certs on their end. I sent the request through support and Ralph had it all setup in no time.

You also get a nice discount when you pay for more than one year.

My main reason for choosing them over Geotrust wasn't just price, but because it's more browser-compatible.
User Post (2003-02-21 23:27:33 by scoob)
Before choosing QuickSSL, you may want to have a look at:
http://www.whichssl.com/faq/compatibility.html
http://www.whichssl.com/faq/contents.html and http://www.whichssl.com/faq/index.html

InstantSSL comes with a $2500 insurance for a mere $69/year
and it does not have the "org not validated" problems of GeoTrust.
Check them out at:
http://www.instantssl.com/products/ssl.html

Now if you still want to go with GeoTrust, the cheapest
place I found for their QuickSSL certificate is through
RackShack.net for $49/year. I don't think there's any
problem getting it through them to use on DreamHost.
http://www.rackshack.net/english/quickssldetails.asp


Thawte is now at $200/y and Verisign at $900.
What a joke!

PS: Anyone sucessfully extracted their own CSR using
openSSL???