HTTPS is not enabled

Rule from ssl under security category

What is a trooper!

we have submitted your edit to the community for review! We'll review and make it live on the site in the next few hours, the internet thanks you :).

Browse another section of the knowledge base



Suggest an edit

Cancel

This rule has no content... yet.

Add content to this rule

Or just browse to view rules that have content



 

HTTPS has become a important part of keeping users safe on the web. With new tools/protocols (HTTPv2) that only operate over SSL the importance is clear.

While not a issue per-say websites are recommended to look at enabling HTTPs for their users. This might not always be possible but should be strongly considered.

Search engines like Google have also been taking a interest by including SSL as a ranking signal in their algorithm.

How do I fix this ?

There are 2 options here, both leading to HTTPS for your website.

Option number 1 is that services like cloudflare.com offer SSL for free to all their customers. If you do not control the server (shared hosting) or simply looking for a quick generic fix this is a great (and quick) option.

Option number 2 is a bit more involved but will put you in control. That is buying a certificate from a SSL provider and enabling it in your web server config.

Following these steps you'll come out above, we've provided more details information under "SSL certificates" while providing a quick overview here:

  • Decide on the level of certificate you're domain/business requires. These include Domain Validated, Company Validated or Extended Validation.
  • Generate a private key that you'll keep private
  • Sign a CSR (Certificate Signing Request) with that private key
  • Head to a Certificate Authority that will sign and give you a certificate ready for use. Some examples include GeoTrust, DigiCert, Thawte and www.symantec.com
  • Enable the certificate that your provider has sent on your web server.

See "SSL certificates" for more details on all these steps.

SSL Certificates

Certificate Types

There are mainly 3 types of certificates:

  • Domain Validated / Low Assurance: These Certificates are fully supported and share the same browser recognition with Organization validated certificates, but come with the advantage of being issued almost immediately and without the need to submit company paperwork. This makes the certificate ideal for businesses needing a low cost SSL quickly and without the effort of submitting company documents. Only your domain name will be included in the certificate and not the business name and the required check is mostly done by just checking your WHOIS record. As the name implies, they provide less assurance to your customers.
  • Company Validated / High Assurance: A high assurance certificate is the normal type of certificate that is issued. There are two things that must be verified before you can be issued a high assurance certificate: ownership of the domain name and valid business registration. Both of these items are listed on the certificate so visitors be be sure that you are who you say you are. Because it requires manual validation, high assurance certificates can take an hour to a few days to be issued. These certificates include the actual organization name and domain in the certificate.
  • Extended Validation: An EV certificate is a new type of certificate that is designed to prevent phishing attacks. It requires extended validation of your business and authorization to order the certificate and can take a few days to a few weeks to receive. It provides even greater assurance to customers than high assurance certificates by making the address bar turn green and displaying the company name too.

Steps to buying a certificate

Step 1: Decide on a Certificate Type

Different organizations have different needs so selecting the correct type is important. See "Certificate Types" for all the juicy details.

Step 2: Generate your Private Key

OpenSSL is a open source toolkit that is installed by default on most systems. It can be used to generate all the required keys you need.

To generate a private key with the name private_key.pem of 2048 bit, you would use the following command:

openssl genrsa -des3 -out private.key 2048

Step 3: Create a Certificate Signing Request

OpenSSL is our toolkit of choice again. Using your private key we created in the first step us:

openssl req -new -key private.key -out request.csr

Step 4: Head to your Certificate Authority

Head over to any of these well known SSL auhorities:

Step 5: Configure Web Server

Depending on your type of web server this config could differ. We tried to common the classics, namely NGINX and Apache.

NGINX

server {
    listen              443 ssl;
    server_name         www.example.com;
    ssl_certificate     www.example.com.crt;
    ssl_certificate_key www.example.com.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    ...
}

Apache

<VirtualHost 192.168.0.1:443>
DocumentRoot /var/www/html2
ServerName www.yourdomain.com
SSLEngine on
SSLCertificateFile /path/to/your_domain_name.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/DigiCertCA.crt
</VirtualHost>

Step 6:

Rest easy that your users are now more secure !

Resources

Browse another section of the knowledge base



Signup icon
Ready to see how well your site scores?

Passmarked works best when you have an account. It allows you to keep a dashboard with saved data of the sites you have run through the system, we’ll alert you about important updates and you get access to the Passmarked Slack forum.

Sign up to get started