Securing Connections with the SSL It! Extension¶
Watch the video tutorial
The SSL It! extension offers a single interface for keeping your websites secured with SSL/TLS certificates from the trusted certificate authorities (CAs) Let’s Encrypt and DigiCert (Symantec, GeoTrust, and RapidSSL brands) or with any other SSL/TLS certificate of your choice. Using the extension, you can also do the following:
- Enhance the security of your website’s visitors via redirects from HTTP to HTTPS.
- Protect your website’s visitors by prohibiting web browsers from accessing the website via insecure HTTP connections.
- Protect the privacy of your website’s visitors and improve the website performance with OCSP Stapling.
Getting started with SSL It!¶
To manage an SSL/TLS certificate of a domain, go to Websites & Domains > your domain. You can see the current security status of the domain under “SSL/TLS Certificates”:
Securing websites with SSL/TLS certificates¶
With the SSL It! extension, you can secure websites with free and paid SSL/TLS certificates (at the moment they are from DigiCert only) and also with SSL/TLS certificates you already own.
To secure a website with a free SSL/TLS certificate from Let’s Encrypt:
Go to Websites & Domains > your domain > SSL/TLS Certificates.
Under “More options”, click Install:
Specify the email address that will be used for urgent notices and lost key recovery.
Select what you want to secure in addition to the main domain:
- Secure the main domain name. Secure only the main domain. If you want to secure only the webmail, you can clear the checkbox.
- Secure the wildcard domain (including www and webmail). Secure the www subdomain and/or domain aliases, and the webmail.
- Include a “www” subdomain for the domain and each selected alias. Secure the www subdomain and/or domain aliases.
- Secure webmail on this domain. Secure the webmail.
- Assign the certificate to mail domain. Secure the mail with the IMAP, POP, or SMTP protocol. If you have the www subdomain and/or domain aliases, select the Include a “www” subdomain for the domain and each selected alias checkbox.
Click Get it free.
An SSL/TLS certificate from Let’s Encrypt will be issued and automatically installed.
Note
If you secure a domain with an SSL/TLS certificate from Let’s Encrypt and then add new domains, subdomains, domain aliases, or webmail to the subscription, you can have SSL It! automatically secure them by reissuing the SSL/TLS certificate from Let’s Encrypt. To do so, go to Websites & Domains > your domain > SSL/TLS Certificates and turn on the “Keep websites secured” option.
To get a paid SSL/TLS certificate:
Go to Websites & Domains > your domain > SSL/TLS Certificates.
To get the list of available certificates, click Get Certificates:
Select the SSL/TLS certificate you want to buy and click the Buy button in the certificate’s form. .. note:
To find an appropriate certificate, you can do the following: - Filter the available certificates. You can apply the "Recommended", "Wildcard", and "For organization use" filter sets. - Read more about a certificate (its validity period, validation type, and so on) by clicking the **Learn more** button in the certificate’s form.
In the Plesk Online Store pop-up window, fill in your address, payment information, and then buy the certificate.
Сlose the pop-up window.
Wait until Plesk updates the payment status or update it manually by clicking Reload. Plesk automatically updates the payment status once per hour.
Once the payment has been processed, click Fill In Required Data.
Fill in the required contact information, and then click OK.
Plesk now automatically creates a certificate signing request (CSR) and then receives and installs the SSL/TLS certificate. It may take some time depending on the type of the SSL/TLS certificate. You can update the SSL/TLS certificate status manually clicking Reload or you can just wait until Plesk does it automatically (Plesk checks the SSL/TLS certificate status once per hour).
Note
Certain types of SSL/TLS certificates (for example, EV) require additional actions on your part. You may need to answer a phone call or an email and also submit necessary documents so that the CA could validate your application.
Once the SSL/TLS certificate is installed, the Websites & Domains > your domain > SSL/TLS Certificates screen will show the information about the installed SSL/TLS certificate (name, certificate authority, email address, and so on), secured components, and other options (“Redirect from http to https”, “HSTS”, and so on).
Uploading SSL/TLS certificates¶
You may want to upload an SSL/TLS certificate in the following cases:
- You already have a certificate that you want to use to secure your domain.
- You want to install a certificate you cannot get via SSL It!.
To upload an SSL/TLS certificate:
Go to Websites & Domains > your domain > SSL/TLS Certificates and then click Upload.
Locate the
.pem
file of the SSL/TLS certificate you want to upload and then click Open.
The SSL/TLS certificate will be automatically installed on the domain.
Renewing installed SSL/TLS certificates¶
To make sure that your website is continuously secured, you need to timely renew the installed SSL/TLS certificate. The SSL It! extension can help you with that.
SSL It! automatically renews free SSL/TLS certificates from Let’s Encrypt and DigiCert 30 days in advance of their expiration.
SSL It! cannot automatically renew paid SSL/TLS certificates. However, you can do the following:
- Reissue them manually.
- Have SSL It! automatically replace expired SSL/TLS certificates with free ones from Let’s Encrypt.
To reissue paid SSL/TLS certificates:
Go to Websites & Domains > your domain secured with a paid SSL/TLS certificate that is going to expire > SSL/TLS Certificates.
Click Reissue Certificate. Then you will be automatically redirected to Plesk Online Store.
Fill in your address, payment information, and then buy the certificate.
Go back to Plesk (use the Back button in your browser).
Processing the payment takes some time. To update the payment status, click Reload. Plesk automatically updates the payment status once per hour.
Once the payment has been processed, click Fill In Required Data.
Fill in the required contact information and then click OK.
Plesk now automatically creates a certificate signing request (CSR) and then receives and installs the SSL/TLS certificate. It may take some time depending on the type of the SSL/TLS certificate. You can update the SSL/TLS certificate status manually clicking Reload or you can just wait until Plesk does it automatically (Plesk checks the SSL/TLS certificate status once per hour).
To automatically replace paid expired SSL/TLS certificates with free ones from Let’s Encrypt:
- Go to Websites & Domains > your domain secured with a paid SSL/TLS certificate that is going to expire > SSL/TLS Certificates.
- Turn on “Keep websites secured”.
Now when your paid SSL/TLS certificate expires, SSL It! automatically issues a free SSL/TLS certificate from Let’s Encrypt to secure domains, subdomains, domain aliases, and webmail belonging to the subscription. It usually happens no later than one hour after the SSL/TLS certificate expires.
Unassigning SSL/TLS certificates¶
- Go to Websites & Domains > your domain whose SSL/TLS certificate you want to unassign > SSL/TLS Certificates.
- Click Unassign Certificate, and then click OK.
Enhancing security of your websites¶
Merely securing a website with a valid SSL/TLS certificate from a trusted CA is not enough to get all-round protection. SSL is a complex technology, which has a number of features (key encryption algorithm, OSCP stapling, HSTS, and much more) that can enhance the security of your website’s visitors and improve your website performance.
Enabling these features can improve your websites’ search engine rankings:
- Redirect from http to https sets up a permanent, SEO-safe 301 redirect from the insecure HTTP to the secure HTTPS version of the website and/or webmail.
- HSTS prohibits web browsers from accessing the website via insecure HTTP connections.
- OSCP makes the web server request the status of the website’s certificate (can be good, revoked, or unknown) from the CA instead of the visitor’s browser.
Caution
Before turning these features on, make sure that your website can be accessed via HTTPS without any issues. Otherwise, visitors may have trouble accessing your website.
To enhance the security of your websites:
Secure your website with a valid SSL/TLS certificate from a trusted CA.
Go to Websites & Domains > your domain > SSL/TLS Certificates.
Turn on “Redirect from http to https” if it is not already on. “Redirect from http to https” will be applied to both the website and webmail.
Note
If your webmail is not secured with a valid SSL/TLS certificate or you do not have any webmail, clear the “Include webmail” checkbox.
-
Note
If your SSL/TLS certificate expires earlier than the “Max-age” period but you still want to use HSTS, we recommend that you turn on “Keep websites secured”. Then when the SSL/TLS certificate expires, SSL It! will automatically issue a free one from Let’s Encrypt to secure domains, subdomains, domain aliases, and webmail belonging to the subscription. The website will be continuously secured and HSTS will continue working.
Turn on “OCSP Stapling”.
Once you have hardened your website’s SSL security, you can evaluate it.
Enabling HSTS
- Turn on HSTS.
- Make sure that the SSL/TLS certificate that secures your website will be valid during the “Max-age” period. Do the same for subdomains and the webmail subdomain.
Warning
If the SSL/TLS certificate expires earlier than the Max-age period and HSTS is turned on, visitors won’t be able to access your website.
- If your subdomains are not secured with valid SSL/TLS certificates or you do not have any subdomains, clear the “Include subdomains” checkbox.
- If your webmail subdomain is not secured with a valid SSL/TLS certificate or you do not have any webmail, clear the “Include webmail” checkbox.
- Click Enable HSTS.
Known issues and limitations¶
- OCSP stapling works only for websites served by nginx with Apache or solely nginx. If your websites are served by Apache only, you do not need to turn on “OCSP Stapling”.
- OCSP stapling may not work for SSL/TLS certificates from certain vendors (for example, free certificates from DigiCert) if the complete trust chain is not in place. To check if your certificate supports OCSP stapling, run the SSL Labs test on your SSL configuration.
Evaluating the SSL security of your website¶
Popular search engines (for example, Google) rank websites with better SSL protection higher. In the SSL It! extension, you can run one of the most popular testing service, Qualys SSL Labs, to do the following:
- Check how good the SSL protection of your website is.
- See what can be improved.
- Get A+, the highest possible score (after hardening SSL protection if necessary).
To evaluate the SSL security of your website:
- Go to Websites & Domains > your domain > SSL/TLS Certificates.
- Click Run SSL Labs Test.
The Qualys SSL Labs website will be opened in a new tab and the test will be automatically started. Wait until the test is finished to receive your grade. This may take up to several minutes.
If you secured your website with a valid SSL/TLS certificate from a trusted CA, and you turned on all security-enhancing features provided by SSL It!, you are most likely to get the A+ score.