We always get a lot of questions about how Incapsula supports SSL websites. In the next few weeks we will be introducing several new SSL related features so this seemed like a good time to answer some of those questions and also provide a brief introduction about SSL – what it is, how it works and how you can use it with Incapsula .
What is SSL?
Secure Sockets Layer (SSL) is an industry standard encryption protocol, used for secure HTTPS web browsing, e-mails and other types of on-line communication.
SSL is an asymmetric encryption method which relies on two different cryptographic keys – one Public and one Private. These keys are mathematically related. SSL Private Key will consist of two very large prime numbers that, when multiplied, result in a third number – a Public Key. This unique relation is used for cross-communication; mutual verification and encryption or decryption of SSL data.
Typical SSL keys are 1024 bit or 2048 bit long. In theory one should be able to deduct the Private keys’ values by combing through all possible combinations of the Public key prime multipliers. Yet the length of these prime numbers helps prevents such reverse engineering attempts, as the sheer number of mathematical possibilities makes this task almost impossible.
Incapsula SSL Features
How it works?
When using Incapsula, our servers become the intermediate for all traffic to your website, including SSL traffic. To facilitate this, Incapsula needs a valid SSL certificate for your domain installed on all its servers worldwide. To provision this certificate, we have integrated Incapsula’s setup process with some of the leading certificate providers that enable our customers to issue Incapsula with a certificate for their domain, in a very simple way and at NO ADDITIONAL COST. Your original server’s certificate will still be used for Incapsula-to-Server requests and the new Incapsula issued certificates will be used to handle all Incapsula-to-Visitor communication.
To provide the best possible solution to our clients, these Incapsula issued certificates are signed by worlds’ leading SSL authorities, supported by all major browsers and devices and are trusted by 99.9% of the Internet population. Moreover, they are using 2048 bit key encryption, thus boosting security for all 1024 bit certificate holders.
Q: What if I have a self-signed certificate?
A: Even if you only have a very basic self-signed certificate, with Incapsula your SSL will be automatically upgraded to widely accepted and professionally signed, 2048 bit certificate. This will improve SSL security and instantly solve SSL related compatibility issues.
Each SSL certificate requires its own dedicated IP address. This fact alone, fueled by the rapidly growing IPv4 address shortage, already poses an issue for many hosting providers.
In our case things are even more complex, as the CDN nature of our service requires us to have a valid version of each certificate on every one of our data centers.
Unless solved, this issue would force us to allocate multiple sticky IPs for each certificate, diminishing the overall IP pool, hindering on traffic routing and raising the costs for us and our clients.
Subject Alternative Name (SAN) SSL certificates provided us with an efficient and cost effective solution we were looking for. These multi-use certificates were created to reduce cost and simplify management by supporting the inclusion of multiple names within the same certificate and in our case they also allowed us to deal with the IP shortage by allocating multiple domain names to a single IP.
The SSL activation process is pretty straight forward. On signup, Incapsula will detect your SSL support and prompt you with a system message, asking for e-mail verification for proof of ownership. The system will then present you with a list of generic domain owner e-mails (i.e. firstname.lastname@example.org) to be used for SSL activation.
Once an address was selected, you`ll receive a typical ‘click here to verify’ message. Once verified, the SSL will automatically become active on your site.
Incapsula SSL Support – Frequently Asked Question
Q: Do I need to purchase SSL certificate, when onboarding Incapsula?
A: Absolutely not. We provide the certificate at no extra cost.
Q: Do I need to surrender my Private Key to Incapsula?
Q: Do I need to use your Business plan to have my SSL supported?
A: No. This is part of the reason why we introduced our new Personal plan, which offers SSL support and will only cost you 9$/month.
Q: Will Incapsula cache HTTPS content?
A: Yes, but we will do so selectively. For example, we will not cache HTML, unless specifically directed to do by cache Headers.
Q: What port do you use for SSL traffic and can I use another port?
A: The default SSL port is 443 and yes, you can use another port but you’ll need to contact our support.
Q: I didn’t receive the verification e-mail.
A: Check your ‘Spam’ folder and if it’s not there, contact our support for further assistance.
Q: I have an EV certificate and I want to keep using it, what can I do?
A: Incapsula’s Enterprise plan fully supports EV certificate and other custom SSL options.
Q: How do I add SSL support, if I didn’t have SSL when I first activated Incapsula?
A: Even after the initial site’s setup we will continue to monitor your SSL support so the system should detect this automatically. When this happens, new SSL controls will auto-appear in you ‘Settings’ screen and you can use them to add your new certificate. Also, you can always contact our support and we will be glad to help out.