How do I secure my site with HTTPS?

This FAQ was last modified on: Thursday, May 16, 2019 10:28am
Category: 

HTTPS is quickly becoming the standard and expected protocol for the web, but what does it mean, and how do you get HTTPS for your own site?

What is HTTPS?

HTTPS is the secure version of HTTP, the language that your web browser uses when visiting sites. It stands for HyperText Transfer Protocol Secure, and uses a kind of dialect called SSL/TLS. SSL/TLS first verifies that the site's presented identity is correct, and then encrypts your connection to the site to keep any exchanged data private.

Do I really need HTTPS for my own site?

While HTTP has been the default for a long while, more and more browser developers are setting a new standard by treating HTTPS as the expected default. For instance, when you use Google Chrome to visit a site with HTTP, you'll now see a warning in the browser bar that tells you that your connection to a site is "Not Secure."

For site visitors, HTTPS confirms their connection is secure, that your site is authentic, and any information they send or receive is protected from digital eavesdroppers. HTTPS is increasingly critical to whether a visitor will trust your site or not, and can even affect its rankings for search engine query results.

What does HTTPS need to work for my site?

To secure your site with HTTPS, you will need an SSL/TLS certificate for your site domain name and any additional aliases it may use.

When you visit a website via HTTPS rather than HTTP, the browser uses SSL/TLS to first reach out to make a handshake with the site. This initial contact checks to see if the site has an SSL/TLS certificate that has been issued by what the browser considers to be a trustworthy authority. A trustworthy SSL/TLS certificate verifies that a site is who it says it is. This is important, because malicious sites will often attempt to phish for your information by making their URL match the URL of a legitimate site. An HTTPS inquiry can help quickly verify whether a URL appearance is genuine or just a mask.

How do I get an SSL/TLS certificate for my site?

The default wildcard certificate

Good news: you already have a certificate! Sites hosted with the Georgia Tech Web Hosting service use, by default, our wildcard certificate. As its name may suggest, our wildcard certificate covers site URLs in the following format: https://*.gatech.edu.

The wildcard certificate, however, has a known limitation that may not make it a good fit for your needs: limited subdomain coverage.

The wildcard certificate can only cover one subdomain level under the gatech.edu domain. Longer URLs with multiple subdomains, sites that use the WWW subdomain, or non-gatech.edu URLs will see browser warnings with HTTPS when using our certificate. For example:

OK
  • https://example.gatech.edu
Warning
  • https://www.example.gatech.edu
  • https://test.example.gatech.edu
  • https://www.test.example.gatech.edu
  • https://example.org

Larger units with multiple sites under their own subdomain level, like departments and schools, can submit a request to support@oit.gatech.edu to gain an additional level of coverage by converting their subdomain to a DNS subzone. Once a unit has a DNS subzone, it can send another request to have that DNS subzone added to our wildcard certificate as a Subject Alternative Name during the next monthly update. If example.gatech.edu was a DNS subzone and added to our certificate, it would have *.example.gatech.edu coverage:

OK
  • https://example.gatech.edu
  • https://www.example.gatech.edu
  • https://test.example.gatech.edu
Warning
  • https://www.test.example.gatech.edu
  • https://example.org
Individual certificate

If you're a smaller unit, project, or individual initiative that is outside of the default wildcard certificate coverage and you don't qualify for your own DNS subzone, you have two options:

  1. Request approval for the use of a *.gatech.edu alias that is covered under the wildcard certificate and redirect traffic to that alias
  2. Use an individual SSL/TLS certificate to secure your site

An individual certificate will provide protection for a longer URL as well as any aliases you'd like to include, along with the WWW subdomain.

There are three ways that you can get your own individual certificate:

  1. Generate a free Let's Encrypt certificate from the hosting control panel

    Let's Encrypt is a free service that has been recently added to the Plesk web hosting toolbelt. It allows you to quickly and easily generate and manage your own individual certificate, and will also auto-renew.

  2. (Limited to IT staff) Sign up as an admin for the Delegated Self-Service Provisioning service

    Signing up for self-service provisioning grants access to IT staff to generate Georgia Tech domain name Incommon certificates for your department or team. If you are not IT staff, reach out to your CSR to see if they may already be signed up for this service!

  3. Purchase an individual certificate from a trusted Certificate Authority

    If your site needs a specific kind of SSL/TLS certificate and your unit doesn't have access to Incommon through the Delegated Self-Service Provisioning, you can purchase and add a certificate from any verified Certificate Authority. Be aware that our hosting does not provide email services, so check to make sure the Certificate Authority does not require email validation if your site uses a non-gatech.edu domain.

How do I add, change, or remove a certificate for my site?

To add a certificate:
Use the "SSL/TLS Certificates" tool on the Websites & Domains page of your hosting control panel. You can either upload a simple certificate file (*.crt), or use the "Add SSL/TLS Certificate" form to manually enter the more detailed certificate information provided by a Certificate Authority.

To change a certificate:
Use the "Hosting Settings" tool on the Websites & Domains page of your hosting control panel to navigate to "Security" -> "Certificate" and select your chosen certificate from the drop-down.
Note: to use the default wildcard certificate, leave it as "Not selected.""

To remove a certificate:
Use the "SSL/TLS Certificates" tool on the Websites & Domains page of your hosting control panel. Make sure you've changed to the certificate you do want to use first, and then select and remove the certificate you want to delete.

How do I redirect traffic to HTTPS-only?

It's generally a good idea to require HTTPS to be the default way to access your site. To make sure all visitors are using HTTPS: Edit your site's .htaccess file to create a redirect rule to HTTPS.

I'm seeing weird behavior or an error when using HTTPS for my site, can you help?

There can be a few common reasons why a site may struggle or behave strangely with HTTPS. If you're seeing an error page or getting the basic server index page when trying to access your site with HTTPS, let us know!