SSL/TLS certificates enable visitors to connect to your site with HTTPS, a secure protocol for exchanging information on the Internet. An SSL certificate will add a layer of secure encryption to your website, so any information your users submit on your website is encrypted. In this article we will explain how to obtain an SSL certificate for your website on the WP Engine platform.
WHAT IS HTTPS?
HTTPS (Hypertext Transfer Protocol Secure) is the protocol for secure communication on the World Wide Web, and it prevents eavesdroppers from seeing information that visitors send or receive over the Internet. HTTPS secures its connections by using SSL/TLS, protocols that authenticate web servers and that encrypt messages sent between browsers and web servers.
WHAT IS SSL/TLS?
TLS (Transport Layer Security) is a cryptographic protocol that provides secure communication over the Internet. HTTPS uses TLS to secure communication for website visitors. TLS provides the following security benefits:
- Identity authentication — The browser determines whether a web server is the right server, and not an imposter.
- Privacy — Information between the browser and web server is kept private by using encryption.
- Data integrity — Messages between the browser and the web server cannot be altered by others (e.g., during a man-in-the-middle attack).
SSL (Secure Sockets Layer) is the predecessor of TLS. After SSL 3.0, the next upgrade was named TLS 1.0 (instead of SSL 4.0) because the version upgrade was not interoperable with SSL 3.0. Many people refer to TLS as SSL (old habits die hard) or as SSL/TLS, even though all versions of SSL are technically now deprecated.
Do I have SSL on my site?
To determine if you have an SSL certificate installed on your website, visit your domain (for example mycoolwebsite.com) with https:// in front. The “s” in HTTPS stands for “secure”.
- If you see a secure padlock next to the domain this means your site is secured by an SSL certificate. You can also click on this icon to view certificate details, such as expiration date and issuer.
- If you see a security warning, this means your site is not secured by an SSL and you will need to add one.
- If the padlock next to your domain is broken, crossed out, or shows “more info”, this means your site is secured by an SSL but there is mixed content on the page that needs correcting.
You can also test your SSL status with an external tool:
Add an SSL
- Ensure you’ve added your domain to the User Portal
- Ensure you’ve pointed DNS for your domain
- Open the User Portal
- Click Sites
- Select the production environment name
- Click SSL
- Click Add Certificates
- Select an item from this SSL Certificate Options list (details on each option below)
- Follow the prompts to complete the request process
- When the SSL has completed install, you will receive an email and SSL options will become available
The process is automated from here. Once the order is placed, our system will verify DNS has been pointed and install the certificate. Certificates typically install within just a few minutes, however in some cases this can take up to 24 hours.
All SSLs ordered through WP Engine default to Auto-Renew and Secure All URLs.
Let’s Encrypt Certificates
Let’s Encrypt offers free domain-validated (DV) single-domain SSL certificates, which are ideal for almost every website. In most cases two Let’s Encrypt certificates need to be ordered for a single site; one for WWW and one for non-WWW.
Let’s Encrypt certificates expire after 90 days, compared to 365 days for RapidSSL. Our system will will attempt to auto-renew these 15 days before expiration.
Ordering a Let’s Encrypt certificate replaces any existing certificates for that domain (RapidSSL or 3rd-party).
RapidSSL Wildcard Certificates
WP Engine offers wildcard domain-validated (DV) certificates from RapidSSL. You only need this type of certificate if you want to cover your root domain AND all subdomains with a single certificate.
RapidSSL wildcard certificates cost $199 USD and will cover all subdomains. However, if you only use a few subdomains, it’s much easier to manage the few certificates you need with free Let’s Encrypt SSL certificates instead.
Our system will auto-renew RapidSSL 3 days before its expiration.
NOTE: For a Wildcard SSL order to process, the top-level (non-WWW) domain must have DNS pointed to a WP Engine server.
Import New or Existing 3rd-Party Certificate
Note: The option to import a 3rd-party SSL certificate is not available for Startup plans.
Importing a 3rd-party SSL is ideal if you already have a valid SSL certificate you want to use, or if you need to use an Extended Validation (EV) or Multi-Domain certificate (SAN).
Importing 3rd-party SSLs also allows you to secure the domain prior to DNS being pointed to WP Engine.
NOTE: To install a 3rd-party SSL we must have a matching certificate and key file.
Import Existing Certificate
If you already have a 3rd party SSL certificate and the matching private key files:
Import New Certificate
This option will help you generate a CSR. A CSR (Certificate Signing Request) securely generates and saves a key file on WP Engine’s servers. You then take the CSR to your SSL issuer who will use it to create a certificate file that matches. Once that is provided back to us, we will validate that the files match and install the certificate.
This option will help you generate a CSR. Select this option if you:
- Do not have a certificate file
- Do not have a key file
- Do not have a matching certificate and key file
- Open the SSL Certificate Options page
- Click Start This Process
- Fill out the information as accurately as possible
- Click Generate CSR
- Copy or download the CSR contents
- Provide the CSR to your SSL issuer
- If asked for a “server type,” select Apache or Nginx
- Your SSL issuer will use the CSR to generate a matching certificate file
- Once you have a matching file, click Upload Certificate
- Paste or upload the certificate file(s)
- Click Notify Support
- Support will be notified to validate and install your SSL
- NOTE: Keep an eye on your email inbox. We will notify when it’s complete or if there’s an issue you need to address.
Manage the pending 3rd party SSL request
If you closed the previous page and need to upload your certificate or view the CSR again, use these steps. You can also use these steps to cancel a pending 3rd party SSL request.
- Open the User Portal
- Click Sites
- Select the environment name
- Click SSL
- Expand the domain with the status as Pending
- Upload Certificate (CRT) — Upload the certificate provided by your SSL issuer
- View Certificate Signing Request (CSR) — View and download or copy the previously generated CSR request
- Delete & Revoke CSR — Deletes existing CSR and key and removes the pending request from your User Portal
Let’s Encrypt does not issue certificates for high-risk domain names—those that resemble well-known banks or brands (e.g., wellsfargo.world or cocacola.info) or for sites that Google tags as unsafe.
If your SSL request fails to process automatically, a Support ticket with a “Certificate Domain Validation Error” or “Certificate Authority Error.”
- If you experience these errors make sure your DNS is pointed correctly to WP Engine, and that your domain does not redirect to another domain.
If you use Cloudflare, you will also need to configure SSL settings in their dashboard
SSL/TLS certificate warnings for Internet Explorer on Windows XP
- WP Engine uses Server Name Indication (SNI) for SSL/TLS certificates. SNI provides an efficient way to configure certificates, and it works well with most browsers. However, visitors that use Internet Explorer on Windows XP may see the following error:
This Connection is Untrusted / Certificate Error: You have asked to connect securely, but we can’t confirm that your connection is secure. Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site’s identity can’t be verified.
If you are using Sucuri WAF
- Please contact the Sucuri team and request enabling the Forward Certificate Validation to Hosting option. This will allow your Let’s Encrypt certificate request to process normally.
Secure URL Options
To see your SSL options simply click on the domain name to expand the options. The option “secure all URLs” is selected on an SSL ordered through WP Engine by default.
This option tells our platform to automatically serve HTTP page requests secured with HTTPS. One important thing to note when you choose this option is to ensure you are not using any force SSL plugins.
You will also have the option to select “Secure Specific URLs”. If you choose this option you will need to use RegEx to ensure those URLs are secured properly.
Why can’t I use a force SSL plugin?
Force SSL plugins can cause redirect loops when their settings conflict with the settings on the SSL dashboard. We recommend that you leverage the settings that we provide in the SSL dashboard as they work server side and have been tested extensively with our platform.
How do I know if I use a force SSL plugin?
- Log into your site’s WordPress Admin
- Visit the Plugin page
- Look for any plugin that mentions Securing Pages, HTTPS, or SSL.
Common Force SSL Plugins
- Force SSL
- WP Force SSL
- WordPress HTTPS
- Verve SSL
- Really Simple SSL
- Easy HTTPS Redirection