Hi:
I don't understand the ssl manager on the cpanel. I know what i want to do which is having secure login for forums and the web-e-mail clients i use on my site. Now i can go to twarte and buy a cert for a few pounds and do that,


but is there another 'cheaper' way of doing this

Anything related is going to cost a few bucks. Just add the additional costs to the clients bill. ;)

Just kidding, I'll search around and see what I can come up with. Unfortunately I'm not familiar with the way SSH and things related work. :p :o

Well, you can mint your own certificates if you have the technology to do so.... Generally, a Windows 2000/2003 Server running Active Directory can do this for you with Microsoft's certificate services, and there a number of Linux-based solutions that can do this (OpenSSL, essentially).

Essentially, from the cPanel you have to generate a certificate signing request (CSR) and then get it "signed" by a Certificate Authority. Normally, this is Thawte or Verisign, but again if you have the technology, you can use your own Certificate Authority and thereby mint certificates for zero cost. There are also some very inexpensive Certificate Authorities out there that you can use.

You then import the signed certificate using the same cPanel manager.

Keep in mind that there are two purposes to an SSL certificate:

Encryption: This allows traffic to and from the web site to be encrypted, and is the primary reason most people want SSL certificates -- to protect passwords, credit card numbers, etc.
Non-Repudiation: This verifies that your web site is who you claim to be. Generally very import for online banking and e-commerce sites, as a user who is about to enter their credit card number wants some assurance that they're dealing with a legitimate company. This non-repudiation is provided by having the certificate signed by a trusted and recognized "Certificate Authority" such as Verisign or Thawte.... Essentially, this signature verifies that you are who you say you are.


Note that any SSL certificate, even one you sign yourself, can address the first point (encryption). However, since a signature from your own Certificate Authority will not be trusted by anybody out there, you cannot provide non-repudiation unless you go through a proper certificate authority (essentially, by signing the certificate yourself, you're basically just saying, "Yes, I'm who I say I am, and I've signed the document myself to prove it!").

This is often not a critical issue, however, if you're only dealing with a controlled group of users (employees, club members, etc), and many corporate systems use self-signed certificates since they're only concerned with encryption and don't care as much about non-repudiation.

More importantly, however, is to understand that the process of certificate validation works on the principle of being able to compare the signature to a trusted root (ie, a copy of the signature). The trusted roots for the main CAs are stored in your browser already (just go into the security/certificates panel of IE/Firefox/etc and look at the "Trusted Root" certificates that are already there). If a certificate cannot be verified up to a trusted root, the user connecting to your site will receive a warning from their browser advising them of this.

So, if you sign your own certificate, you have two options:

Inform your users that they will receive a warning message when they connect to your site, and just tell them not to worry about it (ie, "Just click 'Yes'")
Provide your Trusted Root (from your own CA) for them to download and install in their browsers (this is a fairly easy process, which is usually as simple as downloading a file and responding to two or three questions in a wizard that pops up)

However, even with these considerations, there may be times and places where this is not an option.... Many cell phone WAP/Mobile Browser gateways don't allow non-trusted SSL connections (ie, if it doesn't match a trusted root in the cell phone providers network, the connection will be denied), and some Internet cafes also lock down non-trusted certificate access.

In the end, you have to decide whether the hassle of minting your own certificate is worth saving the annual fee of a purchased SSL certificate. However, remember as well that if non-repudiation is not an important consideration, there are discount Certificate Authorities out there.... They may not be as trustworthy for validating your identity, but they'll provide the same quality of encryption as any other certificate, with the advantage of being simple to issue (you don't need your own CA), and usually having a trusted root that has been already deployed to most common browsers (although this is something you should check, as it's not always the case).