I am planning to install SSL certificate for my website & I am completely new for that and I am not a technical guy.
My question is as in the home page to install SSL we need Shell Access from the hosting provider which is not available for me as I am in shared hosting.
I contacted hosting team and asked for the shell access and I got a mail something like this:
“SSh access is not allowed on shared hosting
and for installing SSL you dnt need shell access
all you have to do create the CSR and then your SSL provider will provide you the CRT and Ca bundle for installing the SSL”
In this case what I should do? Anybody help me in that.
As @ahaw021 said, you can use ZeroSSL in this case and it should work fine. (The "CRT" in this sense is the certificate and the "CA bundle" is the chain certificate.) However, this isn't necessarily very convenient because you'll have to repeat the process at least every three months—that's how long Let's Encrypt certificates last.
It would be more convenient for most people to get their hosting provider to implement some kind of more automated support for Let's Encrypt. Many providers have already done this.
For example, if your provider gives you a control panel interface to configure your shared hosting, the control panel might have a built-in feature or add-on to support Let's Encrypt automatically, which the hosting provider might just need to enable. You could also consider switching to a different hosting provider that has more convenient support for Let's Encrypt integration.
A bit more explanation on the ZeroSSL part, since this is likely the route you’ll want to go. If you go tho the ZeroSSL page, you’ll see an option to get a free SSL certificate; this is the option for getting a Let’s Encrypt certificate. It will work you through the steps. You can leave the account key and CSR part blank - you don’t have these yet and it will generate them for you. There are two ways to verify that you own the domain(s) that you’re getting a certificate for when using ZeroSSL: by putting a file on your web server, or by making a special DNS entry. The first option is usually easier for less technical users. On your shared hosting, you have a place where you put your website files. In this directory, you’ll create a new directory called ‘.well-known’, and then inside that you’ll create one called ‘acme-challenge’. In here, you will place a specially-named text file with specific contents. ZeroSSL will give you the file you need. Once you put it here (and verify that you can access it), ZeroSSL will interface with Let’s Encrypt to get you the certificate.
The first time, it will provide you with several pieces of information:
An account key
the private key for your certificate
your certificate
a CA bundle
Save all these, and use the account key when you renew (must be done at least every 90 days as this is how long Let’s Encrypt certificates are valid for), and paste the contents of the other files into the respective areas on your shared hosting control panel, wherever you upload certificates.
Just a small correction - the certificate file downloadable on the last step contains both the domain certificate and the issuer's certificate (each in-between ---BEGIN and ---END lines). Most modern web-servers will accept that as is. For the the interfaces like cPanel, which may want the domain certificate and "CA Bundle" entered separately, you just need to take the first certificate (with its ---BEGIN and ---END lines) from that file as the "domain certificate" and the second (also with those lines) as the "CA Bundle".
So the list of files for the first time (when everything is created anew) will be:
An account key (use the same for renewal)
A CSR (use the same for renewal or generate a new one if you want to also get a new domain key)
Your certificate* (use on your web-server, NOT needed for renewal)
Your domain key (use on your web-server, NOT needed for renewal)
*As mentioned, the certificate file contains both the domain certificate and so-called "CA Bundle" (sometimes also called "Certificate chain" or "Intermediate certificate", depending on the panel).
NB: If you use the downloadable client instead of online one, you can use --legacy option to split those for you.
I would generally recommend not using the CSR for renewal, so that you’ll get a new private key. It’s not strictly necessary, but improves security in the long run.
This is indeed an option - I have amended the above to make it more clear The advantage of re-using the CSR for non-technical users is that it basically reduces the chances of making a mistake when re-typing the same set of domain names (apart from keeping the old key). But one might want to rotate it once in a while indeed.
The advantage of re-using the CSR for non-technical users is that it basically reduces the chances of making a mistake when re-typing the same set of domain names (apart from keeping the old key). But one might want to rotate it once in a while indeed.