Configuring an SSL in SiteLock with an Existing Firewall

This article is part of our series on getting started with SiteLock. For other articles and helpful tips on activating and using SiteLock services, please see the following articles:

Overview

This article will go into detail regarding the process of configuring an SSL to work with a site that already has a WAF (Web Application Firewall) configured. We will go over the two different processes SiteLock uses to configure an SSL on an existing WAF.

SSL Process Overview

Whether we’re setting up a new WAF with an existing SSL, or setting up a new SSL on an existing WAF, there are two processes SiteLock uses to ensure the site functions with the WAF and SSL in tandem. SiteLock partners with Incapsula for it’s firewall needs. That’s important to remember for one of these processes.

Custom Installed SSL

The first process is a custom SSL install. This is a process where we install the customer’s SSL directly onto the firewall.

  • Prerequisites - Before the SSL can be installed on the WAF, it needs to be installed and functioning on the host server first. To test this without de-configuring the WAF, you can modify your hosts file to force your computer to resolve the domain directly to the host IP, essentially bypassing the WAF without actually changing anything.
  • Benefits - The biggest benefit to using the customer’s SSL on the WAF is that anyone who wants review the SSL information will see only the site’s information. As the SSL has been issued to a specific domain, only that domain is visible to a third party looking at the SSL information.
  • Downside - When it comes to installing the SSL directly to the WAF, if anything changes with the SSL, it will need to be reconfigured on WAF. If the SSL is renewed, or rekeyed to include another domain/sub-domain, or modified in any way for any reason, it needs to be reconfigured on the WAF.
  • Summary - This is the ideal option for businesses or customers who are conscious about the information available to their visitors and are not put off by the fact that they will need to reconfigure the SSL if something changes.

Configuring a Custom Installed SSL

You need to have the certificate file (extensions .cer or .crt), and the private key (extension .key).
  1. Access the SiteLock dashboard and navigate to: SETTINGS > TRUESHIELD SETTINGS.
  2. In the SSL Configuration Status section, skip Validating Domain Ownership and go to Manage Certificate, then select Upload Certificate. If you do not see this option, the WAF is not able to detect the SSL on the host server. Check the Site IP just below the SSL Configuration Status to ensure our WAF is pointing to the correct hosting IP where the SSL is installed to ensure the WAF is checking the correct location. If you still do not see the option, and you’re sure the SSL is installed correct on the host side (verified by modifying your hosts file to test), then contact SiteLock support so we can work with Incapsula to resolve the issue.
  3. Once you click on Upload Certificate, you’ll get an uploader for Certificate first. Navigate to your .cer or .crt file and select it.
  4. Next, you’ll be asked for the private key. Navigate to your .key file and select it.
  5. Finally, you’ll be asked to include the passphrase, which is optional. 
  6. Once done, click Submit and give it a moment. If it works, you’ll see something like this:
    img

If you get an error, you can attempt the same process again. One good thing to check if you get an error is reviewing the certificate and key. All files will look something like this:

-----BEGIN CERTIFICATE-----
Random characters
-----END CERTIFICATE-----

Make sure there are no spaces or empty lines before the beginning dashes or after the ending dashes. Those spaces count as characters and will cause the system not to read it correctly.

If the files are formatted correctly and you’re still getting an error, please contact SiteLock support to resolve the issue.


Incapsula Shared SSL

For this process, we take advantage of the fact that each of Incapsula’s WAFs have an SSL assigned to it. By verifying to Incapsula that the site admin would like to use the WAF SSL to protect their site, the site’s domain is added to the WAF SSL as a secured domain.

  • Prerequisites - Before the SSL can be installed on the WAF, it needs to be installed and functioning on the host server first. To test this without de-configuring the WAF, you can modify your hosts file to force your computer to resolve the domain directly to the host IP, essentially bypassing the WAF without actually changing anything.
  • Benefits - This is an option that is geared towards convenience. By adding a TXT record to the site’s DNS, we can verify to Incapsula that the site admin wishes to be included on the firewall’s SSL. Once verification goes through, the site’s domain is added to the existing WAF SSL. This is great because if the customer’s SSL is renewed, rekeyed, or modified for any reason, it doesn’t matter. As long as the SSL is updated correctly on the host side, the Incapsula SSL will continue to cover the site without a need to change anything on SiteLock’s side.
  • Downside - When a site uses the WAF SSL, if someone wants to review the SSL information, the SSL will be assigned to “Incapsula.com”, and the domain will be included as a SAN (Subject Alternative Name), which is essentially additional domains covered by the SSL. Essentially, the site’s domain will be among a large number of other domains that are also protected by the same SSL. This can give a sort of “unprofessional” look to a third party who is reviewing the SSL information and sees a ton of seemingly random domains attached to the same SSL.
  • Summary - This is a great option for bloggers or customers who don’t care about the inclusion of other domains on their SSL and instead appreciate that once they configure the SSL with SiteLock once, they need not revisit the process again.

Configuring an Incapsula Shared SSL

The SSL must already be configured and working on the host server.
You will need access to DNS management for the domain, so you can add a verification record.
  1. Access the SiteLock dashboard and navigate to: SETTINGS > TRUESHIELD SETTINGS. You should see something like this:
    img
  2. Copy the text to the right of TXT Value (red box above). This is the verification entry we need to add to the site’s DNS.
  3. Naviagte to where the domain is managed and add the DNS entry as a TXT record with “@” as the host. See the example below:
    img

Now that you have the record added like it needs to be, it’s just a matter of waiting for verification to go through. This typically only takes about 24 hours, but shouldn’t take longer than 48 hours. You can check to see if the verification has happened by checking this Trueshield wizard. If you still see Certificate Authority verification is pending in yellow, we’re still waiting on Incapsula to validate. After a couple of hours, you’ll notice Site DNS returned no matching TXT record was found will change to Congratulations, a matching TXT record was found! This signifies that our WAF is detecting the verification file, and we just need Incapsula to process the request.

Once the verification goes through, you’ll see something like this:

img

This indicates that the SSL is currently live. You still have the option to upload the certificate directly to the WAF.

Tips & Additional Information

  1. The “Source of SSL Certificate” will tell you what setup the customer currently has. If you see the source is “Customer”, that means the SSL has been installed to the WAF. If you see the source is “Network”, that means the site is using Incapsula’s SSL.
  2.  A very useful tool for testing SSLs is: https://www.sslshopper.com/ssl-checker.html . This lets you plug the domain in to see what SSL is currently installed (good for checking expiration dates). Note that if the domain is pointing to SiteLock’s WAF and the SSL has not yet been configured, the information will not be reliable as it will be reading the SSL that’s currently on the WAF the domain is configured for.
  3. You should not do anything to configure a site’s url to force HTTPS until after the site has been configured on the firewall as well (and tested first!). If the site is using our WAF, and the SSL has been installed on the host server but not our WAF, forcing HTTPS will not only bring the site down, it will bring it down with a bunch of Security errors, which just looks bad all around. The most common example of this issue is finding a site with the secure url in their Wordpress Site Home/Site URL location despite not having a fully functional WAF + SSL setup.
  4. To modify your hosts file, use the following article. Please be aware that this can have hugely negative effects on your computer if not done right. How Do I Change My Hosts File?

Conclusion

At this point you should be familiar with both processes SiteLock uses to install an SSL to the firewall. It’s the same process as setting up a new firewall for the first time if there is an SSL present. If you run into issues during any part of this process, give SiteLock’s support a quick call so that they can assist where possible.