Information regarding how cPanel & WHM processes SSL (Secure Sockets Layer) certificate requests, as well as the way in which Apache processes SSL requests, is being provided here.
The information contained here is recommended for experienced Systems Administrators. As of the version 68 of cPanel & WHM, only TSL (Transport Layer Security) protocol version 1.2 is supported. It also needs to be mentioned that only those applications are supported, which use TLSv1.2. Hence, it is recommended that you ensure to enable TLSv1.2 on your server. Please note that the domain-indexed SSL storage of other services is referred to as Domain TLS here.
Name-based and Virtual Host Match
Most of the SSL-enabled services, which are deployed by cPanel, support simple SSL that are name-based. When an SSL certificate for a certain domain is requested by a client, one of the below-mentioned actions is performed by the service.
In the event that the certificate exists, the service’s response is a certificate which matches the requested domain.
If there isn’t any certificate, the system uses the default SSL certificate of the service.
Apache SSL Certificates
The above-mentioned logic isn’t followed by Apache. Apache carries out the below-mentioned actions, when a client issues a request for an SSL certificate for a certain domain’s SSL certificate.
The virtual host, which hosts the domain, is established by it.
It responds with the certificate for that particular virtual host.
It needs to be mentioned here that Apache can’t match a certificate directly with a domain. It offers the certificate of the virtual host, even if the certificate doesn’t match the domain. The same certificate is served by Apache for any request, which matches a given virtual host. Due to this limitation, the domain-indexed SSL storage of Apache differs from that of the other services.
In order to simplify the process, cPanel & WHM exposes merely a single set of API functions for installing and removing SSL certificates. When an SSL certificate is installed by a user or an administrator, that installation applies only to a particular Apache virtual host. This impacts both, Apache and those services which support name-based SSL. Once the Apache installation gets completed, the system copies the certificate to Domain TLS for each and every domain on the virtual host which matches the certificate. Let us mention a few important facts in this context.
The certificate is only then copied to Domain TLS by the system when the certificate passes the validity check of OpenSSL. This is a check that happens daily.
In the version 66, and in the later versions of cPanel & WHM, certificates are removed from Domain TLS by the system when they do not succeed in validation or when they are set to expire within a day.
The same pattern is followed by certificate removal. The Domain TLS entries for all the domains on the virtual host, which match the certificate, are removed by the system.
It is important to mention here that if an SSL certificate and key don’t pair correctly, then Apache can’t start with SSL-enabled . The following commands need to be run for verifying if they paired correctly-
openssl x509 -noout -in filename.crt
openssl rsa -noout -text -in filename.key
In these commands, the term “filename” indicates the certificate name.
In the event that the modulus number and exponent returned by each file matches, the certificate and key have paired correctly.
Service-default SSL Certificates
Default SSL Certificates are used by non-Apache services. These can be managed by administrators through WHM. The default SSL certificate is served by these services to the client only in the situation when no certificate in Domain TLS matches the requested domain of the client. It should be mentioned here that FTP is the only service, which doesn’t support name-based SSL.
In the version 66, and in the later versions of cPanel & WHM, when a service-default SSL certificate is installed by an administrator, this certificate is compared by the system with the contents of Domain TLS. For each and every domain on the default certificate, that new certificate is installed by the system to Domain TLS. This action is carried out by the system only if an SSL certificate that has higher-grade identity assurance doesn’t already exist on Domain TLS. This makes sure that the highest-grade SSL certificate is served by the system for every request for each non-Apache service.
Before concluding, let us mention that HTS Hosting provides free SSL certificates with all of our Windows as well as Linux-based Shared Hosting Plans. Apart from shared hosting, we provide various web hosting plans that are designed to cater to different budgets and requirements of websites’ owners. Our affordable and high quality web hosting plans have helped us earn the reputation of being the “Best Linux Shared Hosting” as well as the “Best Windows Shared Hosting” service provider in all over the world.
Comments