We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
SSL Certificates and private key Conundrum
KeepTheFaith
Posts: 11 Forumite
Hope there are some web techies here that can help me.
Been having a nightmare trying to get an SSL Certificate for my website. My web host was charging £69.99 plus VAT for one so I tried buying one from somewhere else. However when I tried installing it in cpanel I discovered that the option was disabled and their technical support said my web hosting didn't allow third party certificates but said if I paid £59.99 they would install the third party Certificate. After due consideration I made the bad choice to pay this. Now they are saying that I have to send them the Certificate and SEND THE PRIVATE KEY for them to install it and still won't enable the option for me to install it myself in cpanel.
I have searched the web and I am reading that private keys should never be shared or transmitted else it risks compromising the key and then it would be a waste of time me buying the SSL Certificate as it would be vulnerable to anyone who got hold of the key. I have put this to technical support and the guy ignored what I wrote and still insists that I have to send them the private key to install the Certificate. Am I missing something in my understanding before I send them an email demanding for a refund and fork out for new web hosting elsewhere?
(Incidently the web hosting have all free SSL options like AutoSSL etc turned off so if I wanted anything other than shared SSL I had to buy it else ditch the web hosting that I have. I have a now free lifetime deal on the hosting which is why I chose to pay up).
Been having a nightmare trying to get an SSL Certificate for my website. My web host was charging £69.99 plus VAT for one so I tried buying one from somewhere else. However when I tried installing it in cpanel I discovered that the option was disabled and their technical support said my web hosting didn't allow third party certificates but said if I paid £59.99 they would install the third party Certificate. After due consideration I made the bad choice to pay this. Now they are saying that I have to send them the Certificate and SEND THE PRIVATE KEY for them to install it and still won't enable the option for me to install it myself in cpanel.
I have searched the web and I am reading that private keys should never be shared or transmitted else it risks compromising the key and then it would be a waste of time me buying the SSL Certificate as it would be vulnerable to anyone who got hold of the key. I have put this to technical support and the guy ignored what I wrote and still insists that I have to send them the private key to install the Certificate. Am I missing something in my understanding before I send them an email demanding for a refund and fork out for new web hosting elsewhere?
(Incidently the web hosting have all free SSL options like AutoSSL etc turned off so if I wanted anything other than shared SSL I had to buy it else ditch the web hosting that I have. I have a now free lifetime deal on the hosting which is why I chose to pay up).
0
Comments
-
Your choice of web hosts
Your choice to buy a private key without checking you could actually use it with your web host easily.
Don't see an avenue for a refundEx forum ambassador
Long term forum member2 -
I am not asking for a refund from the company I bought the certificate from. The issue is my web hosting, a different company, who are asking me to send my private key. Everything I am reading on the web says the private key must be kept private. Its usually uploaded to the server via cpanel not emailed where it could be intercepted during transmission.
If someone could just answer the technical question rather than the consumer law question that would be great thanks.
0 -
If you don't send the correct private key for the certificate to the hosts, the certificate is useless. The guy at the hosting company is right, they MUST have the private key to install on the server.
Proud member of the wokerati, though I don't eat tofu.Home is where my books are.Solar PV 5.2kWp system, SE facing, >1% shading, installed March 2019.Mortgage free July 20232 -
Ok I guess the private key can be sent safely so long as it is sent using an encryption method?
But the admins at the web hosting company have access to the private keys and we just have to trust them? Is that normally how it works?
If a private key and Certificate are uploaded and installed via the manage SSL option in cpanel then do the admins have access to the private key in that scenario?
0 -
KeepTheFaith said:Ok I guess the private key can be sent safely so long as it is sent using an encryption method?
But the admins at the web hosting company have access to the private keys and we just have to trust them? Is that normally how it works?
If a private key and Certificate are uploaded and installed via the manage SSL option in cpanel then do the admins have access to the private key in that scenario?If you can upload it via cpanel that is much better than emailing it. The hosting company will still have access, that is inevitable.Yes you just have to trust the hosting company. If you don't want a hosting company involved then you're going to need to rent some rack space in a datacenter and put your own server in and maintain it yourself. That will cost £££££££££ and take up a lot of time in learning how to configure and maintain a server, because the cpanel end is just a tiny fraction of what's involved.Proud member of the wokerati, though I don't eat tofu.Home is where my books are.Solar PV 5.2kWp system, SE facing, >1% shading, installed March 2019.Mortgage free July 20232 -
Move to a hosting company that uses/lets you use LetsEncrypt.
A dream is not reality, but who's to say which is which?1 -
Thanks for explaining that. I somehow had imagined it was a system where even the web hosting company didn't have access to the private key itself but used some other technical encryption method so they didn't need to access it. But sounds like unless you have full control of everything the system still relies on an element of trust of other people.0
-
Is there many actually allowing that then?CoastingHatbox said:Move to a hosting company that uses/lets you use LetsEncrypt.0 -
You'll need to research to find if there are many but certainly there are some, presumably one is enough. I use Mythic Beasts who provide Let Encrypt https:// for web sites as part of the basic hosting package. No outrageous extra costs, and user installable with a mouse click or two.
1
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.7K Banking & Borrowing
- 253.4K Reduce Debt & Boost Income
- 454K Spending & Discounts
- 244.7K Work, Benefits & Business
- 600.1K Mortgages, Homes & Bills
- 177.3K Life & Family
- 258.4K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.2K Discuss & Feedback
- 37.6K Read-Only Boards