Loading...

Knowledge Base
Save up to  70% off.  Start your website today!

Configuring an SSL in SiteLock with an Existing Firewall

This article will detail configuring an SSL to work with a site that already has a WAF (Web Application Firewall) configured. Whether we're setting up a new WAF with an existing SSL or setting up a new SSL on an existing WAF, there are two processes SiteLock uses to ensure the site functions with the WAF and SSL in tandem.


Custom-installed SSL

The first process is a custom SSL install where we install the customer's SSL directly onto SiteLock's firewall.

Prerequisites

Before the SSL can be installed on the WAF, it must be installed and functioning on the host server first. To test this without de-configuring the WAF, you can modify your host file to force your computer to resolve the domain directly to the host IP, bypassing the WAF without changing anything.

Benefits

The most significant benefit of using the customer's SSL on the WAF is that anyone who wants to review the SSL information will see only the site's information. As the SSL has been issued to a specific domain, only that domain is visible to a third party looking at the SSL information.

Downside

When installing the SSL directly to the WAF, it will need to be reconfigured on the WAF if anything changes with the SSL. If the SSL is renewed or rekeyed to include another domain/subdomain or modified for any reason, it needs to be reconfigured on the WAF.

Summary

This is the ideal option for businesses or customers who are conscious about the information available to their visitors and are not put off because they will need to reconfigure the SSL if something changes.

 

How to configure custom-installed SSL

You need to have the certificate file (extensions .cer or .crt) and the private key (extension .key). Please refer to the article, How To Configure SSL To Work With SiteLock CDN, for instructions on finding these files.
  1. Log in to your Customer Portal.
  2. Click Websites from the left-side menu.

    Customer Portal - Websites

  3. Locate your website with SiteLock, then click its Settings button.

    Website's Settings button

  4. On the next page, click the Security tab.

    Settings tab

  5. Under SiteLock, click the Log into SiteLock button.

    Settings tab

  6. In the SiteLock Dashboard, click Settings from the left-hand menu.

    SiteLock Dashbord - Settings (left menu)

  7. Under the Settings menu, select TrueShield Settings.

    SiteLock Security - Trustshield Settings

  8. Next, scroll down and look for the SSL Configuration Status section.

    SiteLock - SSL Configuration Status

    • If an SSL is already installed, it will show two options: remove the SSL Certificate and replace the certificate.
    • If there is no SSL, it will display the Upload Certificate button.

    Choose Replace Certificate if the SSL is already out of date or Upload Certificate if no SSL is installed.

  9. Skip Validating Domain Ownership, go to Manage Certificate, and select Upload Certificate.
    • If you do not see this option, the WAF cannot detect the SSL on the host server. Go back to the previous page and check the Site IP below the SSL Configuration Status to ensure our WAF points to the correct hosting IP where the SSL is installed.

      SiteLock Dashboard - Site IP

    • If you still do not see the option, and you're sure the SSL is installed correctly on the host side (verified by modifying your hosts file to test), contact SiteLock's Support to work with Incapsula to resolve the issue.
       
  10. Once you click on Upload Certificate, you'll get an uploader for the Certificate first. Navigate to your .cert or .crt file and select it.

    If you previously clicked Replace Certificate, a Choose File button will appear. Use this to upload your .cert or .crt file.

    SiteLock Dashboard - Upload .crt File

    Note: If the Choose File button does not work, drag and drop your .crt file from your computer to the Certificate box.
  11. Next, you'll be asked for the Private Key. Navigate to your .key file and select it.

    SiteLock Dashboard - Upload .key File

  12. You'll be asked to include a Passphrase, which is optional. You can leave the Passphrase field blank.
  13. Once done, click Submit and give it a moment. You will receive a confirmation if the installation is successful or not.
    • If it works, you'll see something like this:

      SiteLock Dashboard - Configuration Settings

    • If it's not, you'll see something like this:

      SiteLock Dashboard - Configuration Settings

If you get an error, you can attempt the same process again. To check if you get an error, one good thing is reviewing the certificate and key files. All files will look something like this:

-----BEGIN CERTIFICATE-----
{

(Random string of characters)

}

-----END CERTIFICATE-----

There are no spaces or empty lines before the beginning dashes or after the ending dashes. Those spaces count as characters and will cause the system not to read them correctly.

If the files are formatted correctly and you're still getting an error, please contact SiteLock support to resolve the issue. You can also check this article: How To Configure SSL To Work With Sitelock CDN.

 


Incapsula Shared SSL

SiteLock partners with Incapsula for its firewall needs. We take advantage of how each of Incapsula's WAFs has an SSL assigned to it for this process. By verifying to Incapsula that the site admin would like to use the WAF SSL to protect their site, the site's domain is added to the WAF SSL as a secured domain.

Prerequisites

Before the SSL can be installed on the WAF, it must be installed and functioning on the host server first. To test this without de-configuring the WAF, you can modify your host file to force your computer to resolve the domain directly to the host IP, bypassing the WAF without changing anything.

Benefits

This is an option that is geared towards convenience. By adding a TXT record to the site's DNS, we can verify to Incapsula that the site admin wishes to be included on the firewall's SSL. Once verification goes through, the site's domain is added to the existing WAF SSL. This is great because if the customer's SSL is renewed, rekeyed, or modified, it doesn't matter. As long as the SSL is updated correctly on the host side, the Incapsula SSL will continue to cover the site without a need to change anything on SiteLock's side.

Downside

When a site uses the WAF SSL, if someone wants to review the SSL information, the SSL will be assigned to Incapsula.com. The domain will be included as a SAN (Subject Alternative Name), which is essentially an additional domain covered by the SSL. Essentially, the site's domain will be among many other domains protected by the same SSL. This can give a sort of "unprofessional" look to a third party reviewing the SSL information and a ton of seemingly random domains attached to the same SSL.

Summary

This is an excellent option for bloggers or customers who don't care about the inclusion of other domains on their SSL and instead appreciate that once they configure the SSL with SiteLock once, they need not revisit the process.

 

How to configure Incapsula shared SSL

The SSL must already be configured and working on the host server. You will need access to the DNS control panel for the domain so you can add a verification record.

  1. Access the SiteLock Dashboard and navigate to Settings.
  2. From the Settings menu, click TrueShield Settings. You should see something like this:

    TXT Record in SiteLock Dashboard

  3. Copy the TXT Value. We need to add this verification entry to the site's DNS.
  4. Navigate where the domain is managed and add the DNS entry as a TXT record with "@" as the host. See the example below:

    DNS zone control panel

Now that you have the record added like it needs to be, it's just a matter of propagation, which usually takes at least 24 hours. You can check if the verification has happened by checking this in the Trueshield wizard. If you still see Certificate Authority Verification pending in yellow, we're still waiting on Incapsula to validate. After a couple of hours, you'll notice Site DNS returned; no matching TXT record was found will change to Congratulations, a matching TXT record was found! This signifies that our WAF is detecting the verification file, and we need Incapsula to process the request.

Once the verification goes through, you'll see something like this:

Verification is done

This indicates that the SSL is currently live. You still have the option to upload the certificate directly to the WAF.

 


Tips & More!

  • The Source of the SSL Certificate will tell you what setup you currently have. If you see the source is Customer, the SSL has been installed to the WAF. If you see the source is Network, the site uses Incapsula's SSL.
  • A very useful tool for testing SSL is https://www.sslshopper.com/ssl-checker.html. This tool lets you plug the domain to see what SSL is currently installed (good for checking expiration dates, too!). If the domain is pointing to SiteLock's WAF and the SSL has not yet been configured, the information will not be reliable as it will be reading the SSL that's currently on the WAF for which the domain is configured.
  • You should not do anything to configure a site's URL to force HTTPS until after the site has been configured on the firewall (and tested first!). If the site is using our WAF and the SSL has been installed on the host server but not in WAF, forcing HTTPS will bring the site down; it will bring it down with many security errors that look bad all around. The most common example of this issue is finding a site with a secure URL in their WordPress Site Home/Site URL location despite not having a fully functional WAF + SSL setup.
  • To modify your hosts file, use the following article: How Do I Change My Hosts File? Please be aware that this can have hugely negative effects on your computer if not done right.
  • Here is another article you can refer to for more information on working with SiteLock's firewall: How To Configure SSL To Work With SiteLock CDN.
     

Conclusion

At this point, you should be familiar with both processes SiteLock uses to install an SSL to the firewall. It's the same process as setting up a new firewall for the first time if an SSL is present. If you run into issues during any part of this process, give SiteLock's Support a quick call so that they can assist where possible.

 


Did you find this article helpful?

 
* Your feedback is too short

Loading...