If you want to set up encryption for your Foleon publications by setting up an encrypted connection you’ve come to the right place. In this article, we’ll explain the basics of SSL/TLS and different ways to secure traffic to your publications.
Important note: Keep in mind that the IP whitelisting access control method will not work if your publication is secured with SSL/TLS. Read more about what access control methods are in our article: Setting up access control and determining search engine access.
In this article
- What is SSL/TLS?
- Encrypting your Foleon publications
- Uploading your own SSL/TLS certificate
- Using a CSR (Certificate Signing Request)
What is SSL/TLS?
TLS, formerly known as SSL, keeps the connection between a web server and a browser encrypted and private. TLS also proves to visitors that you are the owner of the hostname a publication is published on.
To check if a connection is private, simply enter a URL into your browser’s address bar and check if it automatically navigates to HTTP or HTTPS.
If you see HTTPS, this means a certificate is installed and your connection is private/secured. If you’re taken to HTTP, this means no certificate installed and the site’s connection is not secured.
If a certificate is not installed, it’s possible that visitors will see a message stating that the website is not secure and won’t be able to continue.
Encrypting your Foleon publications
To ensure authenticity with SSL/TLS certificates, you are required to get the certificate yourself as the domain owner.
By default, we enable TLS for the Foleon hostname.
For custom hostnames, we have features for configuring your certificate on our servers. Due to the nature of our distribution network, we reload TLS configurations as part of our weekly maintenance. This is commonly done on the weekends to minimize downtime.
You have 2 options for encrypting traffic to your Foleon publications.
Option 1: Use the default Foleon hostname
If you’ve set up your hosting to use the default Foleon hostname, you will still be presented with an HTTP version of the publication’s URL. Simply add an ‘s’ after HTTP, to get the encrypted HTTPS version of the URL. We recommend sharing this secured URL with your audience.
Option 2: Use a custom domain and upload a SSL/TLS certificate
We have a built-in feature for uploading your own SSL/TLS certificates. In the next step, we’ll explain what files you need in order to make your domain secure and also demonstrate how to upload them.
Uploading your own SSL/TLS certificate
In order to make your custom domain secure with a SSL/TLS certificate, you will need access to the following files:
- A certificate (PEM-formatted). The file extension is usually .crt, .cert or .pem.
- A private key (make sure to remove the password).
- Certificate intermediates.
In some cases, your certificate vendor (this doesn’t have to be your hosting provider) will send you a single file.
Please note that if you use LetsEncrypt, a certificate is only valid for 3 months. We recommend getting a certificate which is valid for at least 2 years, depending on the nature of your publication.
Uploading the certificate
Go to a publication’s Publishing settings and navigate to Hosting. Click on the lock icon in order to make changes to the domain settings. Select Use your own custom domain.
Here, you’ll see an option to host on HTTP or HTTPS, select https://.
As soon as you select https:// the following button will appear:
Click on Certificate configuration to start inserting your SSL/TLS certificate.
It is only possible to upload your files in their core form. This means you’ll need to extract the code from the certificate files. It’s not possible to upload files that contain the code. There are several free tools available for extracting the core code from SSL/TLS certificate files,. Here are a few free examples:
- Atom: https://atom.io/
- Sublime Text: https://sublimetext.com/download/
- Visual Studio Code: https://code.visualstudio.com/
- Brackets: http://brackets.io/
Important note: If your certificate files are delivered in .PFX format, you might need to convert these to .PEM or the files will not show the correct.
The code of a certificate looks something like this:
The certificate begins with -----BEGIN CERTIFICATE----- (this needs to be included in the code you insert). Codes from intermediates and private keys also start and end with the same text.
Next, insert the code into the right fields.
Only when the private key matches the certificate will the option to Save appear. In the example above, the field for ‘Intermediates’ is empty. It isn’t mandatory to upload the intermediates (CA-certificates) but we highly recommend it for a higher rating of your certificate.
Usually, the intermediates certificates are attached to your certificate and private key, if not, your SSL/TLS vendor offers to download these on their website almost all of the time.
After you’ve correctly inserted your SSL/TLS certificate codes, you’ll see your SSL/TLS certificate and its expiration date in the publishing settings with a note of the certificate’s validation.
Important note: once your SSL/TLS certificate is installed, it will automatically apply to all publications in that project (previously known as publication groups).
We’ll notify you via email when a certificate is about to expire.
We manually install certificates at least once a week. This means that when you upload your files, your publications will be accessible through HTTPS within a week.
You can go ahead and publish and share your publication. HTTP traffic will be automatically redirected to HTTPS once we’ve processed and installed your certificate.
Using a CSR (Certificate Signing Request)
If you, or your certificate supplier, are not able to send private keys over the internet it’s possible to use a CSR (Certificate Signing Request). Keep in mind that this service is not free of charge.
When using this service, we’ll set up the CSR for you. We’ll need the following information:
- your hostname (also known as the common name)
- country code (the two-letter ISO 3166-2 code)
- state or province name
- city or locality
- name of your organization
- organizational unit (e.g. marketing, or finance)
We’ll create and send the CSR to you. You can send us the certificate files afterwards and we’ll install the certificate for you. We charge €100/$120/£90 (depending on your currency) for this service per CSR. If you’re interested, please contact firstname.lastname@example.org.