Using Instart's Shared SAN Certificate

Deprecated

Instart supports the following SSL certificate options:

  • Instart-purchased UCC certificate
  • Your own SSL Certificate

This document describes how to use Instart's shared UCC certificate. You can read more about using your own SSL certificate here.

Securing web transactions and sessions for browsers

SSL (Secure Sockets Layer) is a standard technology for establishing an encrypted connection between a web server (host) and a web browser (client). This connection between the two makes sure that all the data passed between them remains private and intrinsic.

When installed on a web server, it activates the padlock on the HTTPS protocol (over port 443) and allows secure connections from a web server to a browser. SSL is used to secure credit card transactions, data transfer and logins, and any electronic data that needs to be transmitted securely between the sever and client.

Using an SSL certificate creates an encrypted connection between the user's web browser and the web server. Any data transmitted between the web server and the web browser needs to be decrypted, at either side. This protects the data from being spied upon by someone else on the Internet because they will not be able to understand the encrypted data.

Certificate Issuing Authority

SSL Certificates need to be issued from a trusted Certificate Authority's Root Certificate, and preferably by a 2048-bit Certificate that is widely distributed. The Root Certificate must be present on the end user's machine in order for the Certificate to be trusted.

If it is not trusted, the browser will present untrusted error messages to the end user. In the case of e-commerce, such error messages result in immediate lack of confidence in the website, and organizations risk losing confidence and business from the majority of consumers.

The SSL Certificate details, including the information about CA, validity status, and expiration date, can be found by clicking on the padlock on the URL.

SSL certificate details displayed by browser

Support for SSL Certification and validation with Instart

Websites being delivered over the Instart platform are signed up with GlobalSign (www.globalsign.com) using SAN (Subject Alternative Names) certificates.

How do browsers use the Subject Alternative Name field in the SSL certificate?

When browsers connect to the CDN proxies using HTTPS, they check to make sure the SSL certificate matches the host name in the address bar.

There are three ways for browsers to find a match:

  • The host name (in the address bar) exactly matches the Common Name in the certificate's Subject.
  • The host name matches a wildcard common name. For example, www.example.com matches the common name *.example.com.
  • The host name is listed in the Subject Alternative Name field.

Getting started with SSL certificate provisioning

In order to get your domain listed with our SAN certificate, a one-time procedure is carried out to verify domain ownership, requiring you to follow any one of the methods detailed below.

Method 1: DNS method (preferred method)

A TXT record on the DNS can be used to verify domain ownership or implement a number of email security measures. TXT records can be added using the administrator access, as shown below.

If you choose this method, Instart will provide you with a Destination TXT/SPF string to use in the TXT record.

  1. Sign in to your domain's account at your domain host.
  2. Locate the page for updating your domain's DNS records. The page might be called something like DNS Management, Name Server Management, or Advanced Settings.
  3. Locate the TXT records for your domain and add a new record.

    Important

    The TXT record you add must have the correct values for your root domain.

  4. In the Destination TXT/SPF field, enter the string that Instart provided you with.
  5. Save your changes and wait until they take effect.

Method 2: Email verification

An email with a verification link is sent to the standard webmaster and admin addresses associated to the domain, listed below. The ownership to the domain can be confirmed by clicking on the link.

admin@domain.com
administrator@domain.com
hostmaster@domain.com
postmaster@domain.com
webmaster@domain.com

Note

The email addresses listed above are not customizable, and if you do not have access to the aliases listed, please choose from among the remaining options.

Method 3: Approver URL method

A meta tag is emailed to you along with a verification link. The meta tag needs to be included in the homepage (normally /index.html) within the <head> tags:

GlobalSign meta tag in the head of site homepage

Complete the verification process by clicking on the email link. This will direct you to a verify page with radio buttons for the Protocol and Domain. Select https along with the domain specification and click Verify.

Verify domain name with GlobalSign

Method 4: HTML method

Save the following HTML block as a file with the name GlobalsignVerify.htm on your domain and share the path to the file with the Instart customer support representative.

<html>
   <head>
      <title>Hello, Globalsign</title>
   </head>
   <body bgcolor=white>
      table border="0" cellpadding="10">
         <tr>
            <td>
               <h1>Hello Globalsign</h1>
               </td>
            </tr>
         </table>
         <p>Hello Globalsign, this is our Instart Authorization Page for this Domain</p>
      </body>
</html>