1. Knowledge Base
  2. >
  3. Results
  4. >
  5. Configuring an SSL in SiteLock with an Existing Firewall

Configuring an SSL in SiteLock with an Existing Firewall

SSL Process Overview

This article will go into detail regarding the process of configuring an SSL to work with a site that already has a WAF (Web Application Firewall) configured. Whether we’re setting up a new WAF with an existing SSL, or setting up a new SSL on an existing WAF, there are two processes SiteLock uses to ensure the site functions with the WAF and SSL in tandem


Custom Installed SSL

The first process is a custom SSL install where we install the customer’s SSL directly onto the firewall.

  • Prerequisites - Before the SSL can be installed on the WAF, it needs to be installed and functioning on the host server first. To test this without de-configuring the WAF, you can modify your hosts file to force your computer to resolve the domain directly to the host IP, essentially bypassing the WAF without actually changing anything.
  • Benefits - The biggest benefit of using the customer’s SSL on the WAF is that anyone who wants to review the SSL information will see only the site’s information. As the SSL has been issued to a specific domain, only that domain is visible to a third-party looking at the SSL information.
  • Downside - When it comes to installing the SSL directly to the WAF, if anything changes with the SSL, it will need to be reconfigured on WAF. If the SSL is renewed or rekeyed to include another domain/sub-domain, or modified in any way for any reason, it needs to be reconfigured on the WAF.
  • Summary - This is the ideal option for businesses or customers who are conscious about the information available to their visitors and are not put off by the fact that they will need to reconfigure the SSL if something changes.

Configuring a Custom-Installed SSL

You need to have the certificate file (extensions .cer or .crt), and the private key (extension .key). Please refer to this article on how to find these files. 
  1. Log into your Customer Portal.
  2. Access the SiteLock dashboard then navigate to Settings.
  3. Under the Security Settings menu, click TrueShield Settings.
  4. On the next page, scroll a little bit down and look for the SSL Configuration Status section. If an SSL is already installed, it will show two buttons  Remove SSL Certificate and Replace Certificate. If there is no SSL, it will display the Upload Certificate button. Choose Replace Certificate if the SSL is already out of date or Upload Certificate if no SSL is installed.
  5. Skip Validating Domain Ownership and go to Manage Certificate, then select Upload Certificate.
    • If you do not see this option, the WAF is not able to detect the SSL on the host server. Go back to the previous page and check the Site IP just below the SSL Configuration Status to ensure our WAF is pointing to the correct hosting IP where the SSL is installed.

      SiteLock Dashboard - Site IP

    • If you still do not see the option, and you’re sure the SSL is installed correctly on the host side (verified by modifying your hosts file to test), then contact SiteLock support so we can work with Incapsula to resolve the issue.
  6. Once you click on Upload Certificate, you’ll get an uploader for Certificate first. Navigate to your .cer or .crt file and select it.

    SiteLock Dashboard - Upload .crt File

    Note: If the Choose File button did not work, drag and drop your .crt file from your computer to the Certificate box.
  7. Next, you’ll be asked for the Private Key. Navigate to your .key file and select it.

    SiteLock Dashboard - Upload .key File

  8. Finally, you’ll be asked to include the passphrase, which is optional. 
     
  9. Once done, click Submit and give it a moment. If it works, you’ll see something like this:

    SiteLock Dashboard - Configuration Settings

If you get an error, you can attempt the same process again. One good thing to check if you get an error is reviewing the certificate and key. All files will look something like this:

-----BEGIN CERTIFICATE-----
Random characters
-----END CERTIFICATE-----

Make sure there are no spaces or empty lines before the beginning dashes or after the ending dashes. Those spaces count as characters and will cause the system not to read it correctly.

If the files are formatted correctly and you’re still getting an error, please contact SiteLock support to resolve the issue. You can also check this article: How To Configure SSL To Work With Sitelock CDN


Incapsula Shared SSL

SiteLock partners with Incapsula for its firewall needs. For this process, we take advantage of the fact that each of Incapsula’s WAFs has an SSL assigned to it. By verifying to Incapsula that the site admin would like to use the WAF SSL to protect their site, the site’s domain is added to the WAF SSL as a secured domain.

  • Prerequisites - Before the SSL can be installed on the WAF, it needs to be installed and functioning on the host server first. To test this without de-configuring the WAF, you can modify your hosts file to force your computer to resolve the domain directly to the host IP, essentially bypassing the WAF without actually changing anything.
  • Benefits - This is an option that is geared towards convenience. By adding a TXT record to the site’s DNS, we can verify to Incapsula that the site admin wishes to be included on the firewall’s SSL. Once verification goes through, the site’s domain is added to the existing WAF SSL. This is great because if the customer’s SSL is renewed, rekeyed, or modified for any reason, it doesn’t matter. As long as the SSL is updated correctly on the host side, the Incapsula SSL will continue to cover the site without a need to change anything on SiteLock’s side.
  • Downside - When a site uses the WAF SSL, if someone wants to review the SSL information, the SSL will be assigned to Incapsula.com, and the domain will be included as a SAN (Subject Alternative Name), which is essentially additional domains covered by the SSL. Essentially, the site’s domain will be among a large number of other domains that are also protected by the same SSL. This can give a sort of “unprofessional” look to a third party who is reviewing the SSL information and sees a ton of seemingly random domains attached to the same SSL.
  • Summary - This is a great option for bloggers or customers who don’t care about the inclusion of other domains on their SSL and instead appreciate that once they configure the SSL with SiteLock once, they need not revisit the process again.

Configuring an Incapsula Shared SSL

The SSL must already be configured and working on the host server.
You will need access to DNS management for the domain, so you can add a verification record.
  1. Access the SiteLock dashboard and navigate to Settings.
  2. From the Security Settings menu, click TrueShield Settings. You should see something like this:

  3. Copy the TXT Value. This is the verification entry we need to add to the site’s DNS.
  4. Navigate to where the domain is managed and add the DNS entry as a TXT record with “@” as the host. See the example below:

Now that you have the record added like it needs to be, it’s just a matter of propagation which usually takes at least 24 hours. You can check to see if the verification has happened by checking this in the Trueshield wizard. If you still see Certificate Authority Verification is pending in yellow, we’re still waiting on Incapsula to validate. After a couple of hours, you’ll notice Site DNS returned no matching TXT record was found will change to Congratulations, a matching TXT record was found! This signifies that our WAF is detecting the verification file, and we just need Incapsula to process the request.

Once the verification goes through, you’ll see something like this:

This indicates that the SSL is currently live. You still have the option to upload the certificate directly to the WAF.


Tips & Additional Information

  1. The Source of SSL Certificate will tell you what setup the customer currently has. If you see the source is Customer, that means the SSL has been installed to the WAF. If you see the source is Network, that means the site is using Incapsula’s SSL.
  2. A very useful tool for testing SSLs is: https://www.sslshopper.com/ssl-checker.html . This lets you plug the domain in to see what SSL is currently installed (good for checking expiration dates). Note that if the domain is pointing to SiteLock’s WAF and the SSL has not yet been configured, the information will not be reliable as it will be reading the SSL that’s currently on the WAF the domain is configured for.
  3. You should not do anything to configure a site’s URL to force HTTPS until after the site has been configured on the firewall as well (and tested first!). If the site is using our WAF, and the SSL has been installed on the host server but not our WAF, forcing HTTPS will not only bring the site down, it will bring it down with a bunch of Security errors, which just looks bad all around. The most common example of this issue is finding a site with the secure URL in their WordPress Site Home/Site URL location despite not having a fully functional WAF + SSL setup.
  4. To modify your hosts file, use the following article, How Do I Change My Hosts File? Please be aware that this can have hugely negative effects on your computer if not done right.
  5. Here is another article you can refer to for more information on how to work with Sitelock's firewall, How To Configure SSL To Work With SiteLock CDN.

Conclusion

At this point, you should be familiar with both processes SiteLock uses to install an SSL to the firewall. It’s the same process as setting up a new firewall for the first time if there is an SSL present. If you run into issues during any part of this process, give SiteLock’s support a quick call so that they can assist where possible.