HOW-TO - Not get Plesk Certificate Error or get rid off "This Connection is Untrusted" message.

Date: 23 March 2010
Source: GraFX

It is more and more frustrating when customers call to complain about the control panel - PLESK, provided with your hosting service does not work. They are returned a screen with the following message "This Connection is Untrusted" (in Firefox) or " There is a problem with this website's security certificate. " (in Internet Explorer). In most of the cases they turn off the browser in order to avoid doing something stupid, without reading the message, knowing it is UNTRUSTED or NOT SECURED. Magical words that scare them.

Untrusted Firefox screen

On the PLESK forums and other types of forums as well, users haven't really found solutions. A certificate may be purchased from different providers, including cheap ones, but they tend to solve the problem only partially. Usually a "wildcard" certificate is needed, i.e. *.domain.com to get rid of the problem and a secred URL may be purchased by the customer. Yes, but a wildcard certificate costs somewhere around 199USD (the lowest price we have come across) and up to 495USD (or maybe more). Yes, the price would be justified in case we would be doing ecommerce, where having a trusted certificate is vital and important. But in case you'd like to use this certificate just so that your customers wouldn't be scared off that page, the price is not at all justified.

And here is the solution, not a perfect one, but still a good one to avoid the obstacles. What if, you as a hosting company, would sign a certificate, that would be valid and we ra esure that your customers who trust you, wouldn't mind having a Certificate signed by the X Hosting Company instead of Comodo or Verisign. And this is totally doable. We offer you a FREE tutorial and a small shell script (in case you need it) for 39USD/lifetime, a very low price considering that a wildcard certificae would cost you 200USD or more. But be aware that our solution will work only in PLESK, on port 8443, and we do not recommend using it as an ecommerce certificate or any other similar site, even if it is possible.

If we have made you interested, read the below article and you will find extra information and in case you need the SHELL file in 10 minutes, ORDER NOW.

We need just to go through a process of installing and configuring a Certificate Authority (CA) System to use with Plesk for Server Certification and Secure website access. The role of this application is to generate a CA system to be used internally, with the possibility to publish the CA public keys in order to recognize the certificates issued by this CA.

The process works by installing the CA public keys in the browser of the clients who access the secured services. This way, the browser will recognize, using the CA public key, the certificate of the website that was signed by the CA private key. Of course, a general PKI system can be much more complex, including intermediate authorities signed by a Root CA or multiple PKI schemes. We shall stick to a simple authority that signs certificates for use by Plesk.

What is a digital certificate?

A digital certificate is an electronic document that serves to prove the identity of a website or person when using secured transactions. We shall stick to the Server Certificates in the application. A certificate has two main roles: to assure encryption between the entities communicating and to prove the identity of an entity. A digital certificate also contains a public key which, amongst other things, is used to encrypt the data from the client to the server. The server can decrypt the data using the private key from witch this certificate's public key was generated.

Example of a certificate:

Certificate

What is a secured website?

The Internet contains a lot of interesting things, from presentation websites, news websites, social networks, personal home pages, blogs, to special portals, e-commerce websites, e-banking or special access pages containing sensitive information.

The HTTP protocol in its base form is the main protocol used on the World Wide Web to transfer information across computer networks. Unfortunately, the base form transfers information in plain form, meaning that the bytes that are transferred can be intercepted by a third party with access to a router or cable or any other information carrying method. This third party is able to partially reconstruct the initial data and thus can read the sensitive data that was transferred between the communicating parties.

In order to avoid this kind of eavesdropping, encryption must be used. Suppose we have two entities that wish to communicate securely. One must encrypt the data with a key that the other can decrypt with the same key or with the corresponding key, depending on the security scheme used. This way, even if someone eavesdrops, they will get a non-sense stream of data. Without the right key, they can't decrypt the stream thus they can't read the sensitive data.

How it look a secured site URL bar

What is the trust relationship?

Now that we have defined what is a secure communication and what are the certificates, now we move on to the trust part of this scheme. In a Public Key Infrastructure (P.K.I.) system we have 3 entities: 2 communicating entities and an Authority which acts an intermediary. Both entities that wish to communicate securely trust the Certification Authority (C.A.) That is why, the Server has it's certificate signed by the Authority, Authority which is trusted by the connecting client.

PKI workflow

How can I generate this key?

There are two methods of doing so, a manual one that requires advanced Linux knowledge and an automated one, the script we offer that may be ordered through this link for only 39USD.

The program has 2 main operations (also called subroutines). You will need to have OpenSSL on your server.

  • The PKI Installation Subroutine: which installs a PKI system on the system: directory structure and a Root CA key and certificate
  • The Signing Subroutine: which is used to sign any Certificate Signing Request (CSR) with the Root CA private key.

The PKI Installation Subroutine

This portion of the program deals with installing the CA structure and the CA's private key and certificate.
Note that the CA certificate is a self-signed one, do NOT use it for server operations or other purpose beside signing other certificates.

Notes:
  • You need root privileges to run these operations.
  • You need to have OpenSSL installed on your system.
Root CA Generation
  • Environment Preparation:
    # mkdir /etc/tls && chown root:root /etc/tls && chmod 700 /etc/tls
    # cd /etc/tls
    # echo "[ serverauth ]
    basicConstraints=CA:FALSE
    nsCertType = server
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    extendedKeyUsage = serverAuth
    nsComment = "SSL Server Certificate"
    
    [ clientauth ]
    basicConstraints=CA:FALSE
    nsCertType = client
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    extendedKeyUsage = clientAuth
    nsComment = "SSL Client Certificate"
    " > /etc/tls/myssl.conf
    
  • Create Root CA Private Key:
    # mkdir /etc/tls/ca
    # openssl genrsa -aes256 -out /etc/tls/ca/rootca.key 4096
  • Create Root CA Certificate:
    # openssl req -new -x509 -key /etc/tls/ca/rootca.key -days 7305 -out /etc/tls/ca/rootca.crt
    # touch /etc/tls/ca/counter.crl
    

The Signing Subroutine

This portion of the program deals with the signing of already existing CSR (Certificate Signing Request).

Signing a CSR
  • Environment Preparation:
    # cd /etc/tls
    # mkdir /etc/tls/servers
    # cd /etc/tls/servers
  • Copy or make sure that the "plesk.csr" you wish to sign resides in the correct directory:
    # ls
    plesk.csr
  • Sign the CSR with the CA Private Key:
    # openssl x509 -req -days 3072 -in /etc/tls/servers/plesk.csr -CA /etc/tls/ca/rootca.crt -CAkey /etc/tls/ca/rootca.key -set_serial X -extfile /etc/tls/myssl.conf -extensions serverauth -out /etc/tls/servers/plesk.crt
    # echo "/etc/tls/servers/plesk.crt" >> /etc/tls/ca/counter.crl
    
  • Optional, if you have a "plesk.key" file and you wish to create a single PEM file containing both the key and certificate:
    # ls
    plesk.crt plesk.csr plesk.key
    # cat plesk.key > plesk.pem
    # cat plesk.crt >> plesk.pem
    # ls
    plesk.crt plesk.csr plesk.key plesk.pem
Of course, the Script is more complex, giving you the posibility to sign any csr. This tutorial only deals with the Plesk Certificate Signing.

Practical Guide in a few step

This is a 10 step practical guide to a step-by-step installation. This guide will “install” a PKI system onto a machine and sign a CSR to obtain a Server Certificate.

1. Login to your system
2. Make sure you are root (“su” if you have to)
3. Install this script in /root folder and give execution permissions.
4. Launch this script with -ca parameter.
5. Fill in the fields (if you do not understand something please use the previous chapter)
6. Create a server CSR on the Plesk Portal
7. Copy the server CSR in /root/
8. Launch this script with -s parameter.
9. Copy the contents of the newly created CRT (Certificate) into the Plesk Portal (at the certificate's section) or upload the certificate file.
10. That's all !

Tell your client how to use it.

Now that everything is installed, we need to let the customer know how to acess these pages so that everything is OK. First of all, we need to place the rootca.crt certificate on ur domain, http://www.domain.com/rootca.crt that is publicly available.

Below you have 3 different and well-known setup methods:
  • Step 1: Navigate with a bowser to http://www.domain.com/rootca.crt
  • Step 2: Depending on the browser you are using , you will be returned the following windows: Mozilla Firefox:
    • Step 1 (and the only one): Mark all three checkboxes and click OK
    Internet Explorer (all versions) - on Windows Vista or Windows 7.:
    • Step 1: When the download window is launched, select OPEN
    • Step 2: In the certificate window you will see that it is not yet recognised, access "Install Certificate"
    • Step 3: Select the repository where the certificate will be stored: access Browse, and then "Trusted Root Certificates"
    • Step 4: Summary window, confirm using Finish
    • Step 5: Additional security confirmation, access "YES"
    Safari:
    • Step 1 (and the only one): Access OPEN, and the rest of the procedures are the same as in Internet Explorer

In our welcome message we usually send out to our customers (each company sends out such a mail) we includ a line for the PLESK access, ex: Before accessing the control panel, follow this link http://www.domain.com/rootca.crt and follow the steps on the screen. You should also provide a link to the manual that you receive from us in Word and PDF format so that you can personalise them (only on script command). In Firefox it is simple, the link is followed and click OK, but in Internet Explorer it is harder, the certificate needs to be imported (in case the customers works with Vista or Windows 7), but everything is covered in the documentation we have provided.

Final words

It is not a perfect solution, it has its flaws that we have to live with due to the security excess. The only other solution is to purchase a recognised certificate that will cost 200USD or even more. You decide.

Order it now the solution and the shell script file for ONLY 39USD!

Other faq items