Configuring an SSL in SiteLock with an Existing Firewall
This article is part of our series on getting started with SiteLock. For other articles and helpful tips on activating and using SiteLock services, please see the following articles:
- Welcome to SiteLock - An Introduction to Your SiteLock Account
- What to do when SiteLock Finds a Vulnerability
- Enable SiteLock TrueShield and TrueSpeed
- How to use SiteLock TrustSeal
- Verifying Account and Domain Information in SiteLock
- SiteLock Overview and Resources
- SiteLock Free Scan FAQ
- How To Configure SSL To Work With Sitelock CDN
SSL Process Overview
This article will detail configuring an SSL to work with a site that already has a WAF (Web Application Firewall) configured. Whether we're setting up a new WAF with an existing SSL or setting up a new SSL on an existing WAF, there are two processes SiteLock uses to ensure the site functions with the WAF and SSL in tandem.
Custom-installed SSL
The first process is a custom SSL install where we install the customer's SSL directly onto SiteLock's firewall.
Prerequisites
Before the SSL can be installed on the WAF, it must be installed and functioning on the host server first. To test this without de-configuring the WAF, you can modify your host file to force your computer to resolve the domain directly to the host IP, bypassing the WAF without changing anything.
Benefits
The most significant benefit of using the customer's SSL on the WAF is that anyone who wants to review the SSL information will see only the site's information. As the SSL has been issued to a specific domain, only that domain is visible to a third party looking at the SSL information.
Downside
When installing the SSL directly to the WAF, it will need to be reconfigured on WAF if anything changes with the SSL. If the SSL is renewed or rekeyed to include another domain/subdomain or modified for any reason, it needs to be reconfigured on the WAF.
Summary
This is the ideal option for businesses or customers who are conscious about the information available to their visitors and are not put off because they will need to reconfigure the SSL if something changes.
How to configure custom-installed SSL
- Log in to your Customer Portal.
- Access SiteLock Security from your hosting package's Manage list of options.
- Click on the shield icon under Settings to open the SiteLock Dashboard.
- In the SiteLock Dashboard, click Settings from the left-hand menu.
- Under the Settings menu, select TrueShield Settings.
- Next, scroll down and look for the SSL Configuration Status section.
- If an SSL is already installed, it will show two options: remove the SSL Certificate and replace the certificate.
- If there is no SSL, it will display the Upload Certificate button.
Choose Replace Certificate if the SSL is already out of date or Upload Certificate if no SSL is installed.
- Skip Validating Domain Ownership, go to Manage Certificate, and select Upload Certificate.
- If you do not see this option, the WAF cannot detect the SSL on the host server. Go back to the previous page and check the Site IP below the SSL Configuration Status to ensure our WAF points to the correct hosting IP where the SSL is installed.
- If you still do not see the option, and you're sure the SSL is installed correctly on the host side (verified by modifying your hosts file to test), contact SiteLock's Support to work with Incapsula to resolve the issue.
- If you do not see this option, the WAF cannot detect the SSL on the host server. Go back to the previous page and check the Site IP below the SSL Configuration Status to ensure our WAF points to the correct hosting IP where the SSL is installed.
- Once you click on Upload Certificate, you'll get an uploader for the Certificate first. Navigate to your .cert or .crt file and select it.
If you previously clicked Replace Certificate, a Choose File button will appear. Use this to upload your .cert or .crt file.Note: If the Choose File button did not work, drag and drop your .crt file from your computer to the Certificate box. - Next, you'll be asked for the Private Key. Navigate to your .key file and select it.
- You'll be asked to include a Passphrase, which is optional. You can leave the Passphrase field blank.
- Once done, click Submit and give it a moment. You receive a confirmation if the installation is successful or not.
- If it works, you'll see something like this:
- If it's not, you'll see something like this:
- If it works, you'll see something like this:
If you get an error, you can attempt the same process again. To check if you get an error, one good thing is reviewing the certificate and key files. All files will look something like this:
-----BEGIN CERTIFICATE-----
{
(Random string of characters)
}
-----END CERTIFICATE-----
There are no spaces or empty lines before the beginning dashes or after the ending dashes. Those spaces count as characters and will cause the system not to read them correctly.
If the files are formatted correctly and still getting an error, please contact SiteLock support to resolve the issue. You can also check this article: How To Configure SSL To Work With Sitelock CDN.
Incapsula shared SSL
SiteLock partners with Incapsula for its firewall needs. We take advantage of how each of Incapsula's WAFs has an SSL assigned to it for this process. By verifying to Incapsula that the site admin would like to use the WAF SSL to protect their site, the site's domain is added to the WAF SSL as a secured domain.
Prerequisites
Before the SSL can be installed on the WAF, it must be installed and functioning on the host server first. To test this without de-configuring the WAF, you can modify your host file to force your computer to resolve the domain directly to the host IP, bypassing the WAF without changing anything.
Benefits
This is an option that is geared towards convenience. By adding a TXT record to the site's DNS, we can verify to Incapsula that the site admin wishes to be included on the firewall's SSL. Once verification goes through, the site's domain is added to the existing WAF SSL. This is great because if the customer's SSL is renewed, rekeyed, or modified, it doesn't matter. As long as the SSL is updated correctly on the host side, the Incapsula SSL will continue to cover the site without a need to change anything on SiteLock's side.
Downside
When a site uses the WAF SSL, if someone wants to review the SSL information, the SSL will be assigned to Incapsula.com. The domain will be included as a SAN (Subject Alternative Name), which is essentially additional domains covered by the SSL. Essentially, the site's domain will be among many other domains protected by the same SSL. This can give a sort of "unprofessional" look to a third party reviewing the SSL information and a ton of seemingly random domains attached to the same SSL.
Summary
This is an excellent option for bloggers or customers who don't care about the inclusion of other domains on their SSL and instead appreciate that once they configure the SSL with SiteLock once, they need not revisit the process.
How to configure Incapsula shared SSL
- Access the SiteLock Dashboard and navigate to Settings.
- From the Settings menu, click TrueShield Settings. You should see something like this:
- Copy the TXT Value. We need to add this verification entry to the site's DNS.
- Navigate where the domain is managed and add the DNS entry as a TXT record with "@" as the host. See the example below:
Now that you have the record added like it needs to be, it's just a matter of propagation which usually takes at least 24 hours. You can check if the verification has happened by checking this in the Trueshield wizard. If you still see Certificate Authority Verification is pending in yellow, we're still waiting on Incapsula to validate. After a couple of hours, you'll notice Site DNS returned; no matching TXT record was found will change to Congratulations, a matching TXT record was found! This signifies that our WAF is detecting the verification file, and we need Incapsula to process the request.
Once the verification goes through, you'll see something like this:
This indicates that the SSL is currently live. You still have the option to upload the certificate directly to the WAF.
Tips & additional information
- The Source of the SSL Certificate will tell you what setup you currently have. If you see the source is Customer, the SSL has been installed to the WAF. If you see the source is Network, the site uses Incapsula's SSL.
- A very useful tool for testing SSLs is https://www.sslshopper.com/ssl-checker.html. This tool lets you plug the domain to see what SSL is currently installed (good for checking expiration dates, too!). If the domain is pointing to SiteLock's WAF and the SSL has not yet been configured, the information will not be reliable as it will be reading the SSL that's currently on the WAF the domain is configured for.
- You should not do anything to configure a site's URL to force HTTPS until after the site has been configured on the firewall (and tested first!). If the site is using our WAF, and the SSL has been installed on the host server but not in WAF, forcing HTTPS will bring the site down; it will bring it down with many security errors that look bad all around. The most common example of this issue is finding a site with a secure URL in their WordPress Site Home/Site URL location despite not having a fully functional WAF + SSL setup.
- To modify your hosts file, use the following article, How Do I Change My Hosts File? Please be aware that this can have hugely negative effects on your computer if not done right.
- Here is another article you can refer to for more information on working with SiteLock's firewall, How To Configure SSL To Work With SiteLock CDN.
Conclusion
At this point, you should be familiar with both processes SiteLock uses to install an SSL to the firewall. It's the same process as setting up a new firewall for the first time if an SSL is present. If you run into issues during any part of this process, give SiteLock's Support a quick call so that they can assist where possible.