HTTPS and SSL Overview 0:00It's now so easy to secure a website with HTTPS that we'll have a hard time finding any reputable website that's just not doing it. In fact, some TRDs such as .dev and .app require the use of HTTPS on any domain using them. Now, if you're not familiar, HTTPS is a secured version of HTTP that uses an SSL certificate to encrypt and exchange connections between the user and the server. Feel like how we use a private and public key to SSH into our Forge servers or to push to GitHub? We can manage our site's SSL certificates by going to the SSL panel in our site's dashboard. Forge offers two methods of securing our website. The first is through the use of a free service called Let's Encrypt, which generates an SSL Forge SSL Options 0:39Forge offers two methods of securing our website. The first is through the use of a free service called Let's Encrypt, which generates an SSL certificate on our server and automatically renews it for us. The second way is to import our own certificate, which we can do if we've purchased a certificate through an external provider such as Cloudflare or our domain provider. We'll start by configuring and installing a Let's Encrypt certificate. Now keep in mind, there are two things you need to know when using Let's Encrypt. The first is that Forge will configure your site to automatically renew your certificate within 21 days of its expiry date. The second is that if you cancel your Forge subscription, your site will remain secure Installing Let's Encrypt 1:13within 21 days of its expiry date. The second is that if you cancel your Forge subscription, your site will remain secure until it's due to renew, at which point Forge will not be able to renew your certificate and your site will become insecure. Installing a Let's Encrypt certificate is ridiculously easy. In fact, Forge has done most of the work here for us. It's already filled in our domains, zonda.quest as our primary domain, and our www.redirect, and then it's selected the public key algorithm. Now in most cases, you're going to want to use ECDSA, but sometimes you might need to use RSA, which is a legacy version. Manual Certificate Setup 1:43Now in most cases, you're going to want to use ECDSA, but sometimes you might need to use RSA, which is a legacy version. Finally, we can opt to prefer the ISRG root X1 chain, which is a bit of a mouthful. It's recommended that you keep that option disabled, and whilst it will work, you will find that older Android devices will not be able to reach your websites. Now we've seen how we can install a Let's Encrypt certificate, but we need to now look at how we can do manual certificates. There's two options here. We can create a signing request, which is also known as a CSR, and this will generate a private key that we can then use to purchase our own certificate with. Generating Cloudflare Origin Cert 2:16We can create a signing request, which is also known as a CSR, and this will generate a private key that we can then use to purchase our own certificate with. If we've already done that, or we've generated a certificate already, we can install existing. Now here we need a private key and a certificate. So I'm going to switch to Cloudflare, which is my domain provider in this case, and I'm going to go to the origin server tab under SSL and create a certificate. Now the first thing that we're asked for is whether we want Cloudflare to generate a private key and CSR, or to use our own. So if we just jump back here, we could create our own signing request and provide the key to Cloudflare, but in this case, I'm just going to let Cloudflare generate those.So if we just jump back here, we could create our own signing request and provide the key to Cloudflare, but in this case, I'm just going to let Cloudflare generate those. The next thing is the host names that we wish to have this certificate valid for. I'm going to leave this with all subdomains of zonda.quest and the root domain of zonda.quest. I'm also going to allow the certificate to be valid for 15 years, but we could choose anything that we want here. So we will create this certificate and now Cloudflare has generated the certificate and the private key for us. You'll see that there are a couple of different key formats, but we just want to stick with PEM here. Installing and Activating Cert 3:34You'll see that there are a couple of different key formats, but we just want to stick with PEM here. So the first thing we need is our private key and we will paste that into forge. And then we also want our origin certificate, which we'll then paste into forge. When we install the certificate, forge isn't going to initially activate it. So our site won't be secured. What it's doing here is just installing the certificate onto our server, and then we can go ahead and activate it. Okay. And with our certificate activated, SSL is now enabled on our site.Okay. And with our certificate activated, SSL is now enabled on our site. Now when using Cloudflare to manage our SSL certificates, sometimes we may need to go and enable either full or full strict as the encryption mode. This is to verify that our origin certificate that we just added is actually correct and trusted.
