Should you require intervention on an SSL certificate that is advising of its' expiry at an upcoming date, please reach out to your Absorb representative (Client Success Manager or Account Manager). If your issue is urgent, our Client Advocacy team are here to help; contact them through this form.
An SSL certificate is used primarily for two reasons, encryption and authentication. To most Users, this means seeing the trusted green lock next to the URL and no warnings from the browser. Behind the scenes, it is a little bit more complicated, but we’ll keep it high level here. To start, let’s break down what we mean by authentication and encryption.
Authentication
Imagine you want to receive a letter. How does the post office know that your house is your house? That authority rests with the government, the third party who declares that your house is your house and that you live there. In some ways, SSL certificates function the same way. Your website is like your house, and the way that you ascertain that your website is yours is declaration and verification by a third party (like DigiCert). When you attach an SSL certificate to your website, you have to go through some validation and verification steps to prove that you own the domain and then a certificate authority will issue the certificate.
Encryption
When you interact with a website, you deserve to have your communications kept between you and the website. Continuing our letter analogy from above, encryption is like transmitting your letter in a secret code so that only you and your intended recipient can read it. With SSL certificates, the website provides a public key that is used by your browser to encrypt the communications, which can only be decrypted by the website which holds the private key. These keys are generated using pretty complicated math and can only be used with each other. Using different keys on either side will result in a failed decryption, making the message unreadable without these secret codes.
Hosted with Managed SSL
You may opt for Absorb to manage your SSL certificate for you, to issue your certificate we require you to participate in a verification process. We will create DNS records for validation, that our certificate authority will then verify. After this, it is on Absorb to issue the certificate and ensure that it is kept up to date so that you and your Users do not encounter any browser warnings.
NB: You can help us with this by keeping the CNAME record we send you in place after getting your custom URL set up. If this record is ever deleted, there is a possibility that your site will experience an "SSL Not Trusted" error when it comes time for renewal.
Hosted SSL
When you choose to provide your own certificate, we will ask for both the Public Key, Private Key, and Intermediate Certificate from your Certificate Authority. The reason that we need both is because our web servers will need to encrypt and decrypt the communications received. We also will be unable to renew the certificate on your behalf, so when the time comes close to expiring you will need to contact Absorb before expiration to submit the renewed certificate.
Glossary
Certificate Authority: A trusted third party who issues certificates, such as DigiCert, GoDaddy, or Let’s Encrypt.
Public Key: This is what is presented by the website for all browsers to use to encrypt their communications. It can come in different forms, but the most popular file extensions are .pem, .cer, and .crt. In most cases, this is what people call the certificate. If you open this file in Notepad or other text editors, it will usually start with -----BEGIN CERTIFICATE-----
Private Key: This is the secret key that is used by the website to decrypt traffic. These can come in a few different ways, and sometimes are encrypted for which we need the password to decrypt them. They can look like .key, .pem, or .pfx. Likewise with Public Keys, if you open them in Notepad they’ll start with -----BEGIN PRIVATE KEY-----. Sometimes they can start with -----BEGIN RSA PRIVATE KEY----- too.
DNS CNAME Record: When we ask for validation records to be created, we mean making the same type of record that you’ll create to make your custom URL happen. Here’s an example of what a verification record can look like in GoDaddy. Don’t worry too much about what it looks like, Absorb will provide you with records that you can copy and paste directly into the boxes provided:
We recommend setting your CNAME to "DNS-Only" instead of "Proxied" to prevent issues from third-party services acting as intermediaries. When CNAME records are set to "Proxied," services managing traffic or security may unintentionally alter data, causing unexpected behaviour in your LMS. Using "DNS-Only" ensures a direct, stable connection to our servers without any intermediate layers.
Comments
Article is closed for comments.