SSL Improvements for cPanel & WHM

Screen Shot 2013-04-24 at 11.29.50 AM

The internet is brimming with online stores, merchant gateways, and more e-commerce solutions than you can shake a stick at. With such a quickly growing market, the ability to securely communicate across a network became a necessity. Technologies, like SSL and TLS for example, have stepped up to fill this ever growing requirement. For users who are running their own stores, or who simply want to be able to securely access their email, an SSL or TLS certificate is a necessity.

cPanel & WHM 11.38 will be seeing a number of new SSL improvements in the form of usability changes, SNI support, and support for multi-domain certificates. Recently, I was able to sit in on a demonstration of these new features to see for myself what this offering includes.  

Enhanced Error Checking

A number of niceties have been added to the user interface to make the process of installing a certificate more straight forward and much more foolproof.

Enhanced Error Checking steps when attempting to install a certificate on a server. In the event that there’s an issue with the certificate cPanel & WHM will deny the installation to prevent the certificate from being installed on the server. Additionally, it will let the user know that there is an issue that needs be to resolved in order for the installation to result in a working certificate.

Server Name Indicator (SNI)

Currently, it’s common for each SSL Certificate to require its own dedicated IP address. The cost of this address is typically being passed down to the end user.

SNI is able to change this paradigm by indicating what hostname the client is connecting to at the start of the handshake process. This allows a server to have multiple certificates all installed on the same IP address. Users on shared servers, that support SNI, will be able to install their own certificates and bypass the need for a dedicated address. While this saves on the cost of the dedicated IP address, this also helps reduce the need for extra addresses.

In order to experience the full benefit of SNI in cPanel & WHM 11.38, an operating system that supports this functionality will be needed as well. CentOS 6 is a prime example of such an operating system.

Multi-Domain Certificates (UCC/SAN)

What if I’m using an operating system that doesn’t support SNI, such as CentOS 5?

As an alternative to SNI we have also taken steps to improve our support for multi-domain certificates. These allow users to add multiple domain names to a single certificate, and multi-domain certificates can be installed onto shared IP addresses.

Within both cPanel & WHM, users can quickly create self-signed, multi-domain certificates and can additionally generate signing requests that they can then take to their SSL provider to have their permanent certificate created.

With all of the improvements coming it’s hard not to be excited for cPanel & WHM 11.38. You can expect to see these new SSL improvements soon.

This entry was posted in Tips & Tricks and tagged , , . Bookmark the permalink.
  • Pingback: SSL Improvements for cPanel & WHM Now Available | Simple Helix

  • Sam Davis

    So how does this actually work? I have a VPS with about 200 sites, one shared IP. We are using WHM 11.38 (build 10) on Centos 5.9 x86_64 Virtuozzo.

    About ten of these sites need SSL certificates. On our previous server, we had 11 IP’s (10 dedi, one shared), and individual SSL’s were installed on each domain that required them.

    Can anyone spread any light as to how to do this exactly? I thought (naively) it’d be a case of WHM/cPanel just “allowing” multiple SSL’s all of a sudden, but it doesn’t seem to be the case, as I still get the message which says “This certificate is different from the certificate that is already installed on this IP address. Your server does not support more than one certificate per IP address”.

    Do I need to be using a wildcard SSL to achieve this or something?

    Help appreciated!

  • Daniel

    When you say each multi-domain SSL require its own dedicated IP, does this mean each domain within the multi-domain SSL require dedicated IP address or can they share the dedicated IP?

    • cpnathanli

      A multi-domain certificate allows you to install a number of domains onto a single certificate. So, you can set that certificate up on a single dedicated IP address, and all of the domains added on that certificate will share it.

      • Daniel

        However the current release of CPanel wont allow multiple domains on a shared IP, you need to assign each domain with a dedicated IP.

  • PhaseBurn

    Nice to know you’ll be supporting these, I’m sure 2006 thanks you for implementing them (finally).

  • Daniel

    As an alternative to SNI we have also taken steps to improve our support for multi-domain certificates. These allow users to add multiple domain names to a single certificate, but this type of certificate still requires its own dedicated IP address.

    Is this ever going to change? To have the ability for multi-domain certificates to share IP addresses, rather than having to assign dedicated IP address to each domain within the certificate?

    • http://twitter.com/ericellis Eric

      I believe you are confusing UUC certificates with SNI. Right now these two technologies operate independently. We’re waiting for the SSL world to evolve a bit for that.

  • Karl Austin

    How about we actually get around to giving proper multi-domain support that many partners have been asking about for years and years and years, then we can also have multiple SSL per account without having to hack userdata files? :)

    • Kyle A.

      They specifically talk about this:

      “[W]e have also taken steps to improve our support for multi-domain certificates [...] Within both cPanel & WHM, users can quickly create self-signed, multi-domain certificates and can additionally generate signing requests that they can then take to their SSL provider to have their permanent certificate created.”

  • Kyle A.

    About time with the UCC support. That’s been a PITA to setup for clients and adjust every time they add/remove a domain from the SAN. SNI support is going to be great too, will really cut down on IP usage.