SSL (Secure Sockets Layer) security certificates become necessary when you start doing payments using credit cards. It is a common requirement of banks if you cooperate with some of them, to provide payments with credit cards.
We can divide SSL certificates into two large categories according to the use of certificates:
- Identity certificates—the objective of these certificates is to inform whether the visitor whose address was typed into the input is on the web page.
- Encryption certificates—these protect the data between two computers (for example, between the online shop and visitor) so that all the data are confidential.
Also, TYPO3 users sometimes use SSL certificates for administrative side (backend) protection. This is possible using a web page provider's free SSL. Such certificates can be created using the open source solution OpenSSL.
But these certificates based on OpenSSL can be untrustworthy for web page visitors, because the certificate developer could be an unknown company. For web page users, it is necessary to identify the developer of the SSL certificate—this means that the certificate is really an SSL certificate and is secure. SSL should be installed on the server side for the following steps.
Remember that for your SSL certificate use, you have to install it. You should add certificates files (*.crt files) and private key files (*.key) to your web space. Also, you should configure the server, which for an Apache server will be like the example code below:
<VirtualHost 127.0.0.1:443> DocumentRoot C:/xampp/htdocs/berriesshop ServerName www.berriesshop.ltd SSLEngine on SSLCertificateFile /path/to/certificate.crt SSLCertificateKeyFile /path/to/key.key SSLCertificateChainFile /path/to/chain.crt </VirtualHost>
For the correct SSL to work on your web space, carefully read the accordant server documentation:
- Apache SSL: http://www.apache-ssl.org/
- Windows IIS: http://support.microsoft.com/kb/299875
- Apache Mac OS X: http://developer.apple.com/internet/serverside/modssl.html
For SSL operating on a web server, accordant software is needed. For example, the Apache module is mod_ssl, which includes OpenSSL library or full OpenSSL software.
You can find detailed information on how to configure a server or virtual domain in the corresponding web server documentation.
For using TYPO3 with an SSL certificate for administrative side protection, go to the section "Install" or to your web page address:
http://www.example.com/typo3/install
From this address, you can move on to the "Install Tool" and activate some necessary options. The ENABLE_INSTALL_TOOL file in newer TYPO3 versions is available only for one hour (for security reasons). So, you should create this file manually— either through FTP client, or you can easily create the ENABLE_INSTALL_TOOL file from TYPO3 BE module User Settings. Use the Create Install Tool Enable File as shown in the following screenshot:
After the Install Tool access file is created, enter the Install Tool password—you can now access your TYPO3 options and configuration.
When the changes in the Install Tool are done, you can delete the ENABLE_INSTALL_TOOL file in this TYPO3 BE module.
For activating the SSL support from the TYPO3 side, you need to use a definite parameter, adding integral (int.) from 0 to 3 depending on the preferable impact:
[BE][lockSSL] = 3
0—function switched off1—https activated2—activated https scheme with visual http scheme3—forced https use
If the http protocol on the web server by default is not "443", you should change this parameter by adding the necessary port number at the end:
[BE][lockSSLPort] = 0
We can assume that you will not need data encryption on every page. For example, you could use data encryption on the FE user's identification page for registry forms or to input sensitive bank/account information.
One solution is to use TypoScript and define the necessary pages with conditions. For easier management, you could use extra extensions from the TYPO3 repository, called "https_enforcer". With this extension, you can individually specify pages for which the https connection is necessary.
For pages requiring https, we can add such conditions in the constants:
[PIDinRootline = 12,19] config.baseURL = https://www.berriesshop.ltd [global]
This tells TYPO3 to set the html tag base URL for this page so that all the content on this page will be from the https' base URL.
Also, there are some extensions that can be useful.
There's a handy solution—the extra extension "https_enforcer" (Page HTTP/HTTPS Enforcer). This extension provides individual protocol management between http and https pages separately.
To use this extension:
- Download it from the TYPO3 TER.
- Install it through the Extension Manager.
- Approve new tables for the database.
- Perform extension configuration (it depends on the available options on your web page).
Note
Detailed instructions on how to manage configurations are on the TYPO3 web page: http://typo3.org/documentation/document-library/extension-manuals/https_enforcer/current/
Using the extension "sm_httpscm" (Page HTTP/HTTPS Enforcer via Clickmenu), you can add extra functions to the BE clickmenu (the menu that is shown when you click the site tree) as you can see in the following screenshot:
