How To Install SSL Certificate in Magento 2
Merchants have to ensure sensitive data is protected when customers visit your ecommerce store.
SSL certificates create an encrypted channel between the user’s browser and the website’s server.
It offers secure data transfer and protects your store from data breaches.
We look at what an SSL certificate is and how to install SSL certificates in Magento 2.
What is an SSL Certificate
An SSL certificate is a digital certificate that verifies your site’s identity and creates an encrypted connection.
SSL connection enables the site to move from HTTP to HTTPS protocol. HTTPS is more secure as the data is encrypted.
The SSL certificate is a data file hosted in a website's origin server.
Once installed, it creates a secure link between a browser and the web server.
Customers can transfer sensitive information like credit card numbers and login details.
The Certificate Authority (CA) issues Magento SSL certificates. It works as a trusted third-party that has verified your site.
You have to contact the CA to generate a new certificate.
Details on the SSL certificate include:
- Site’s domain name
- Person or company details
- Certificate Authority details
- Associated subdomains
- Issue date of the certificate
- The expiration date of the certificate
- Public key
- Private key
The public and private keys used for SSL help encrypt and decrypt data.
Data encrypted with the public key is only decrypted with the private key and vice versa.
Why Use an SSL Certificate in Magento
Without an SSL certificate, the Magento site will show HTTP. The browser sends all the data as plain text to the webserver.
The customer details become easy to steal during data transmission.
With an SSL certificate, the data is encrypted during the TLS handshake.
The TLS handshake is when two parties open a secure connection and create session keys.
The session keys encrypt and decrypt the data after the TLS handshake.
Different session keys are used to encrypt data for new sessions. That’s why the customer data remains hidden on each visit.
Types of SSL Certificates
1. Single Domain SSL Certificates
A single domain SSL certificate can only be applied to one domain. You cannot use it to verify any other domains or even subdomains.
All pages related to the domain are covered with the certificate.
2. Multi-Domain SSL Certificates
A multi-domain SSL certificate lists many domains on one certificate. With an MDC, domains can share a certificate. The domains should not be subdomains of each other.
3. Wildcard SSL Certificates
Wildcard SSL certificate is for a single domain and all its subdomains. A subdomain works under the umbrella of the main domain.
Adobe is ending support for wildcard TLS certificates. So it is not recommended for Magento.
Validation Levels of SSL Certificate
The SSL certificate also comes with validation levels. It confirms how thoroughly the CA has verified the site’s identity.
You get free or paid certificates depending on the validation levels.
1. Domain Validation
Domain Validation is the least-strict validation level. You only have to verify the domain. The company’s identity is not validated.
It does not take that long, and you can get the certificate issued quickly.
2. Organization Validation
Organization validation includes a manual vetting process. The CA will contact your company and check the essential details.
The SSL certificates will show the organization’s name and address. It is more trustworthy for users than Domain Validation certificates.
3. Extended Validation
Extended Validation includes a full background check of the company. The CA ensures that the company is legally registered with a valid address.
The extended validation takes the longest but is more trusted.
The certificates are required to show the SSL secure connection lock on your URL browser. It is a visual clue for users of a trustworthy TLS-encrypted site.
The popular SSL for e-commerce websites is Organization Validated and Extended Validation.
Magento 2 - Install SSL Certificate Steps
Before we install the SSL certificate, ensure you have these prerequisites.
- Budget for the certificate
- Registered domain name
- Web server to install the SSL certificate
- Certificate Authority and type of SSL certificate
- CSR and Private key
Generate a CSR and Private Key
You might have an Apache HTTP or Nginx web server. Use the OpenSSL to generate your private key and CSR on your web server.
We will store the relevant files in the home directory.
cd ~
We will generate a private key like example.com.key.
Along with that is a CSR called example.com.csr.
Run the following command and replace example.com with your domain name.
openssl req -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr
You are prompted to add details displayed in your certificate.
The Common Name field should match the name with which you want to use your certificate.
E.g - example.com, www.example.com, or (for a wildcard certificate) *.example.com.
Ensure that all fields accurately reflect your company details for an OV or EV certificate.
For example-
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:New York
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:example.com
Email Address []:sammy@example.com
This will generate a .key and .csr file.
The .key file is the private key and should be kept secure. The .csr file is sent to the CA to request your SSL certificate.
You have to copy and paste your CSR to request the certificate from CA. Use the following command to print the CSR content. Replace the filename with your preferred filename.
cat example.com.csr
Now we are ready to buy a certificate from a CA.
We will show how to get the certificate from GoDaddy using Namecheap.
Purchase an SSL Certificate with GoDaddy
1. Buy an SSL Certificate
GoDaddy is a popular CA and offers all primary certificate types.
Navigate to the GoDaddy SSL certificate page.
Scroll down to see the certificate types and plans.
Select the type of certificate and the plan type: Domain, Organization, or Extended Validation.
Choose the duration of validity. Click on the Add to Cart button.
Review your current order and continue to checkout. Complete the registration and payment process.
2. Request Certificate
After you complete your order, you will be prompted for a few more steps.
To request a certificate, find the SSL certificate that you just purchased. Click the Setup button.
If you have not used GoDaddy for SSL certificates before, you will be prompted to set up the “SSL Certificates'' product.
Requesting the certificate will also depend on your certificate type. Choose the steps using the official GoDaddy page.
After the “SSL Certificates” Product is added to your GoDaddy account, you can see the “New Certificate” and a “Launch” button.
Click on the Launch button next to your new certificate.
Provide your CSR by pasting it into the box. The SHA-2 algorithm is used by default.
Use the Request Certificate button for your selected certificate.
3. Verify Domain
The next step is to verify you have control of your domain.
GoDaddy will send a domain ownership verification email. It is sent to the email address on your domain’s WHOIS record.
Follow the email's instructions and authorize the issuance of the certificate.
4. Download Certificate
After verifying the certificate, you’ll get an email stating your SSL certificate has been issued.
Open it, and follow the email steps to download your SSL certificate.
You do this in the GoDaddy control panel. Click the Download button.
Navigate to the Server type dropdown menu. Select the server software you’re using like Apache HTTP or NGINX.
Tap the Download Zip File and then extract the ZIP archive.
It will contain two .crt files - First is an SSL certificate with a random name.
Next is GoDaddy intermediate certificate bundle (gd_bundle-g2-1.crt).
Copy both to your web server.
You can now rename the certificate to the domain name with a .crt extension.
For example- example.com.crt.
Rename the intermediate certificate bundle as intermediate.crt.
The certificate is now ready to be installed on your web server.
Steps to Install the SSL Certificate on NGINX Web Server
You can install the certificate on your web server. It requires adding a few SSL-related lines to your webserver software configuration.
We will cover basic NGINX configurations on Ubuntu 14.04.
Prerequisites-
- The Private key is called
example.com.key - SSL certificate, which is called
example.com.crt - CA’s intermediate certs located in a home directory at
/home/sammy - The CA intermediate certificate(s) are in a file called
intermediate.crt - If a firewall is enabled, ensure that it allows port 443 (HTTPS)
NGINX
Use these steps to install SSL certificates on NGINX.
Your CA includes an intermediate certificate. You have to create a single “chained” certificate file.
The file contains the certificate and the CA’s intermediate certificates.
Change to the directory that has the private key, certificate, and the CA intermediate certificates. It will be in the intermediate.crt file.
We assume its in your home directory for the example:
cd ~
Assuming your certificate file is called example.com.crt.
Use the following command to create a combined file called example.com.chained.crt
Replace the example part with your own domain.
cat example.com.crt intermediate.crt > example.com.chained.crt
Access the NGINX server block configuration directory.
It is usually located at /etc/nginx/sites-enabled. Use this command to change to it:
cd /etc/nginx/sites-enabled
Assuming you’d want to add SSL to your default server block file. Open the file for editing:
sudo vi default
Find and modify the listen directive. Modify it, so it looks like this:
listen 443 ssl;
Now, find the server_name directive and ensure its value matches the Common Name of your certificate.
Add the ssl_certificate and ssl_certificate_key directives.
It is used to specify the paths of your certificate and private key files.
Replace certain example parts with the actual path of your files.
server_name example.com;
ssl_certificate /home/sammy/example.com.chained.crt;
ssl_certificate_key /home/sammy/example.com.key;
To allow secure SSL protocols and ciphers, add the following lines to the file-
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
If you want HTTP traffic to redirect to HTTPS, you can add this additional server block at the top of the file.
Replace the example parts with your information.
server {
listen 80;
server_name example.com;
rewrite ^/(.*) https://example.com/$1 permanent;
}
Restart NGINX to load the new configuration and enable TLS/SSL over HTTPS.
sudo service nginx restart
How to Enable SSL Certificate in Magento 2
To allow an SSL certificate in Magento 2, follow these steps:
- From the Admin panel, go to Stores > Configuration.
-
In the General tab, select Web. The Settings page will be displayed.
-
Select the Base URLs (Secure) section and expand it.
-
Update the Secure Base URL option to HTTPS.
-
Select Yes using the drop-down for both Use Secure URLs on Storefront and Use Secure URLs in Admin. It is used to display the secure URLs in frontend.
- Tap the
Save Configbutton.
Once you have flushed the Magento cache, the storefront will show the updates.
End Note
SSL certificates are essential to secure your customer’s data on the Magento store.
It improves conversion rates as customers are more likely to complete the checkout process on a secure site.
You can enhance customers’ trust by adding the green padlock sign on your URL browser.
Get more insights about the Magento ecommerce platform on the MGT-Commerce tutorials.
