OK I’m looking at it now. Looks like I use the free tools section. Do I do the self signed certificate generator or the free SSL certificate wizard. I see it is asking for some encrypt the key or certificate for me to input. Do I run the self signed certificate generator first and use that information into the wizard after? Please explain.
You’ll want the free SSL certificate generator only. If you don’t have a Let’s Encryph account key already, it will generate one in four browser for you to save for next time. Same thing with the CSR. If you don’t have one already, just put the domain names in the bar above this field and it will generate the CSR for you. You can also save this for next time.
I copy the two things that are output.
I email those two things to green geeks Per their response above.
Then I figure out what I’m supposed to put in my Htaccess file, and what I need to change in WordPress, and then it will be secure for three months.
At that point I will enter the domain again in the same spot and paste the output to green geeks for them to update it.
Am I understanding this correctly?
Pretty much! Just a couple extra things to clarify. The first time, you’ll actually get 4 pieces of information from ZeroSSL. 1) A Let’s Encrypt account key. This is just for you and identifies your LE account. It’s helpful to have on hand for revocations and renewals. You can paste this back in when you renew in 3 months. 2) A Certificate Signing Request. Same thing, just paste this back in when you renew to make it easier. Neither of these need to go to your hosting provider.
A private key for your certificate. This is important and should be kept safe. You will only get this once, and won’t paste it back in. That CSR has the public key corresponding to your private key in it, so when you renew you’ll just keep using the same private key. You will need to send this to your hosting provider.
the certificate itself. This is not a confidential piece of information, and is the part that expires in three months. You’ll also send this to your hosting provider, and when you renew, this is the piece that will change and you’ll get a new one of.
That page only says key and certificate is generated. Does it take you to another screen for the other information?
Or really what it looks like to me is that you’re saying go to this link first and generate this information:
And then it looks like you’re saying go to this link and generate this information.
Then I copy and paste the private key and the certificate to the host.
Three pieces of information remain the same always and those three pieces of information generate the certificate. Every three months I need to send a private key in new certificate to the host.
Yes, you should use that tool and tell it that you want a certificate for domain.com and www.domain.com. At the very end of the process, after your certificate has been issued, the tool will allow you to download/save a private key and a certificate. You’ll need to send both of those to the hosting provider.
Ok cool i can handle that. You have a link or can you give me the step by step of what to do with the htaccess and anything else in wordpress?
Then once that is complete is there a test site to make sure everything is workin?
Apparently SSL Labs would like to encourage people to use the CAA mechanism and provides a warning if you don’t.
You could use this mechanism by adding a DNS record to your DNS zone file saying which certificate authorities you would like to be able to issue certificates for your domain.
This does not directly affect the security of your existing certificate or connections to your site. It provides, in theory, a way to discourage certain attacks where someone else later requests a different fake certificate for your site.
In my opinion, this is not really necessary if you don’t already know what it is and you don’t specifically envision people trying to perform sophisticated attacks against your site. You can also see that SSL Labs is still willing to give you the A+ without it, suggesting that it’s not currently a high priority for them either. But if you’re interested, feel free to read the Wikipedia article and consider adding the record to your DNS.