SSL/TLS Certificate Management in ISPConfig

? SSL/TLS Certificate Setup and Management

Let's Encrypt SSL (Free SSL)

1. Prerequisites:
   • Domain must point to server (DNS configured)
   • Port 80 must be accessible (for validation)
   • Website must be active
2. Enable Let's Encrypt:
   • Go to Sites → Website → Domain
   • Check "SSL" checkbox
   • Check "Let's Encrypt SSL" checkbox
   • Save changes
3. Automatic process:
   • ISPConfig requests certificate
   • Domain validation via HTTP
   • Certificate installed automatically
   • Auto-renewal every 60-90 days

Commercial SSL Certificate

1. Generate CSR (Certificate Signing Request):
   • Go to Sites → Website → SSL tab
   • Select "Create Certificate" action
   • Fill in certificate details:
     • Country: Two-letter code (US, GB, etc)
     • State: Full state name
     • Locality: City name
     • Organization: Company name
     • Organizational Unit: Department
     • Common Name: yourdomain.com
   • Click "Create Certificate"
   • Copy CSR from SSL Request field
2. Purchase SSL Certificate:
   • Submit CSR to certificate authority
   • Complete validation (DV, OV, or EV)
   • Receive certificate files
3. Install Certificate:
   • Paste certificate in "SSL Certificate" field
   • Paste intermediate/chain in "SSL Bundle" field
   • Save changes

Self-Signed Certificate (Testing Only)

1. Go to Sites → Website → SSL tab
2. Select "Create Certificate" action
3. Fill in certificate details
4. Leave "SSL Request" and "SSL Certificate" empty
5. Click "Save"
6. ISPConfig generates self-signed certificate

Wildcard SSL Certificates

For Let's Encrypt wildcard certificates:

1. Requires DNS validation (not HTTP)
2. Manual DNS TXT record creation needed
3. Covers *.yourdomain.com and yourdomain.com
4. Alternative: Use individual certificates per subdomain

SSL Configuration Options

Force SSL Redirect

Redirect all HTTP to HTTPS:

# Apache Directives field
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

HSTS (HTTP Strict Transport Security)

# Apache Directives field
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

SSL Security Headers

Add to Apache Directives for enhanced security:

# Security headers
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Content-Security-Policy "default-src 'self'"

SSL/TLS Protocols

Configure supported protocols (Apache Directives):

# Disable old protocols
SSLProtocol -all +TLSv1.2 +TLSv1.3

# Strong cipher suites only
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
SSLHonorCipherOrder on

SSL Certificate Monitoring

• Check expiry: Sites → Websites → SSL tab
• Monitor Let's Encrypt renewal logs
• Set up expiry alerts via monitoring tools
• Test SSL configuration: ssllabs.com/ssltest

Troubleshooting SSL Issues

• Certificate not trusted: Check intermediate certificates
• Mixed content warning: Update HTTP links to HTTPS
• Let's Encrypt failed: Verify DNS and port 80 access
• Certificate mismatch: Verify domain name matches certificate
• Renewal failed: Check ISPConfig cron jobs

SSL for Mail Server

1. Use server hostname certificate
2. Or create mail.yourdomain.com certificate
3. Configure in Postfix and Dovecot
4. Update mail client settings to use SSL/TLS