Jump to content

Your Feedback Wanted Re SSL Provisioning/Management

Matt

By Matt
in General Discussion

 Share

Recommended Posts

  • WHMCS CEO
Matt Senior Member

Matt

Posted
  • WHMCS CEO
Posted

Your Feedback Wanted

 

Hi Guys,

 

We're looking for your feedback and ideas on a particular section we're working on at the moment for the next release, and that is the SSL Provisioning & Management Functionality in WHMCS.

 

SSL is a simple way of offering additional products & services to your clients, thus meaning more profits for you, and so we're looking at ways we can improve and make that simpler for you in the next version of WHMCS.

 

As many of you know, we integrate with both Enom & GlobalSign for SSL Provisioning and the current implementation allows all certificates of Enom and the AlphaSSL & DomainSSL certificates from GlobalSign to be both ordered & configured. So to start with we've implemented the necessary extra fields to expand the GlobalSign offering to include their OrganizationSSL & ExtendedSSL cert types.

 

In addition to that we're adding support for automatic SSL renewals (which is not something that SSL providers API's offer from their side) by storing the initial configuration data a user supplies ready to be re-used when it comes to the annual renewal of an SSL certificate. Along with an addon admin page that will list all SSL orders, and their status (Awaiting Configuration, Completed, etc...)

 

There will also be a link to the configuration process for a purchased SSL added to the client area product view to allow users to navigate there without needing the link they only get sent by email currently.

 

So what we're looking for here is any comments, feedback and/or suggestions about the current SSL provisioning/management functionality and anything you'd like to see in addition to the above added for it and we'll certainly consider it.

 

Thanks in advance for your contributions,

 

Matt

0
Link to comment
Share on other sites
othellotech Senior Member

othellotech

Posted
Posted

Needs three more providers

* Comodo - who have a lot of web hosts as resellers

* Comodo (for those using the reseler/affiliate direct link methods

* Generic - which collects and emails the admins, so orers can be taken for thawte, verisign, geotrust etc for those of us that are direct clients of the CA's not reselling through enom

 

You also need a "CA Expiry date" as often the time it's bought for doenst correspond to the client's expectations - this can be that we get it for 5 years, even if the client only pays for 2 (so on *renewal* if the projected next-renewal date is still less than CA-expiry, nothing to do) or when it's bundled with the hosting pacakge (which might be monthly or whatever)

 

Renewals wont work where a new key (or key of greater length) is needed, so you'll need an option for "dont auto-renew certificates where created before (date)" as ISTR all CA's have oved to 2048bit csr's now

 

A field for which email to send the confirmations woudl help, as there are limited places that are allowed, and not all work with all email systems - admin' administrator@ etc are often reserved words)

 

Allowing upgrades to a higher version of a Cert (say from a DV to an IV etc) woudl also be useful.

0
Link to comment
Share on other sites
GGWH-James Senior Member

GGWH-James

Posted
Posted (edited)

The proposed changes would definitely be a plus. Renewal support for anything is always helpful. However, care would need to be taken in how it's implemented though for various reasons; as pointed out by othellotech.

 

Actually, I was just thinking today that having a link within the product details page to the configuration URL would be good. What prompted me to think of that is an issue which has been reported to us (I've opened a ticket with you about this). They could just go to their client area and click the link instead of having to back through their e-mail to find it.

 

Since those such as GlobalSign offer unlimited reissues at no cost, it would be good for the client to be able to do so on their own from the client area; provided, of course, that the support for such functionality is there or that they would be willing to add it to their API.

Edited by GGWH-James
0
Link to comment
Share on other sites
  • WHMCS CEO
Matt Senior Member

Matt

Posted
  • Author
  • WHMCS CEO
Posted

Thanks for all the feedback so far. In answer to the points raised:

 

Renewals wont work where a new key (or key of greater length) is needed, so you'll need an option for "dont auto-renew certificates where created before (date)" as ISTR all CA's have oved to 2048bit csr's now

 

Surely you can still let the renewal invoice and payment occur. The automated renewal might fail but then the client can login and configure manually with the new details as required.

 

A field for which email to send the confirmations woudl help, as there are limited places that are allowed, and not all work with all email systems - admin' administrator@ etc are often reserved words)

 

The user is already presented with a choice of where to send the confirmation emails to. Those are determined by the SSL providers API that is being used at the time and displayed via WHMCS.

 

Allowing upgrades to a higher version of a Cert (say from a DV to an IV etc) woudl also be useful.

 

The providers we support so far don't allow changing of the cert type via their API once provisioned so we'll have to leave this one for the future

 

Since those such as GlobalSign offer unlimited reissues at no cost, it would be good for the client to be able to do so on their own from the client area; provided, of course, that the support for such functionality is there or that they would be willing to add it to their API.

 

Will check into if that allows a complete reconfig and if we can implement this.

 

The GlobalSign module currently delivers the completed certificate to the company who sold the certificate, rather than the individual who purchased the certificate. I'd like to see that fixed.

 

That is out of our control and is something you would need to talk to GlobalSign about.

0
Link to comment
Share on other sites
othellotech Senior Member

othellotech

Posted
Posted

>Surely you can still let the renewal invoice and payment occur

yes

 

>but then the client can login and configure manually with the new details as required

we dont let clients configure anything ;)

 

>The user is already presented with a choice of where to send the confirmation emails to

IMHO needs to be an admin choice (by ssl type) and to skip the user selection

 

>The providers we support so far don't allow changing of the cert type via their API

>once provisioned so we'll have to leave this one for the future

 

for those that dont allow upgrades ( a flag on the cert type by provider ?) it could order a new one - stil (relatively) seamless to the end user

 

>That is out of our control and is something you would need to talk to GlobalSign about.

we'd always prefer them sent to us, we can send them on if needed, but need to "file" a copy as clients invariably lose them

0
Link to comment
Share on other sites
xeqution Senior Member

xeqution

Posted
Posted

[Renewal Function] The renewal functionality is a must.

 

Processing the order via eNom has the ability to send the "confirmation e-mail" to a specified e-mail account, whereas when WHMCS processes the order via selected few (eg. hostmaster / root / administrator@domain.com) - very inconvenient when the host is setting up the WHMCS certificate for the client.

 

CSR / Certificate shown after the certiciate has been created (linked to eNom).

 

Functions listed above will complete the SSL provisioning system for eNom, no other faults were found.

0
Link to comment
Share on other sites
  • WHMCS CEO
Matt Senior Member

Matt

Posted
  • Author
  • WHMCS CEO
Posted

An interesting development from Enom on the renewal front:

When you replace your certificate with one configured with the same information as the original certificate (except for the CSR, which must be new), the new expiration date will be 12 months from the date of purchase, plus 1, 2 or 3 bonus months based on the table below. The bonus months allow you to install your certificate immediately without losing any time paid on the old certificate. Please see the example for further clarification.

 

Renewal Time Frame Bonus Service

46 - 90 days before expiration date: 3 months

16 - 45 days before expiration date: 2 months

15 days or less before expiration date: 1 month

Up to 15 days after expiration date: 1 month

 

Which if true, raises the question that if the CSR must be newly generated for each renewal, then automated renewals are never going to be possible and are always going to require the user to login and submit a new CSR rather than re-using the original. Has anyone tried renewing with a CSR from 1 or 2 years ago?

 

@xeqution: Enom's API docs state differently and say that the confirmation email must be one of the "qualified approvers for the domain name embedded in a CSR" as below:

 

ApproverEmail - The Email address of the registrant of record for the domain to be associated with this cert. Use the CertParseCSR command to retrieve the domain name, and then use the CertGetApproverEmail command to retrieve the registrant’s email address (the “approver”) from the authoritative Whois database.

 

Matt

0
Link to comment
Share on other sites
othellotech Senior Member

othellotech

Posted
Posted

Which if true, raises the question that if the CSR must be newly generated for each renewal, then automated renewals are never going to be possible and are always going to require the user to login and submit a new CSR rather than re-using the original. Has anyone tried renewing with a CSR from 1 or 2 years ago?

 

Yes, we already do SSL renewals, and we re-use the existing CSR (if the right type/length) with zero issues with any SSL provider (and have accounts with all of them)

0
Link to comment
Share on other sites
WHG Junior Member

WHG

Posted
Posted

Which if true, raises the question that if the CSR must be newly generated for each renewal, then automated renewals are never going to be possible and are always going to require the user to login and submit a new CSR rather than re-using the original. Has anyone tried renewing with a CSR from 1 or 2 years ago?

 

Matt

 

Depends on who you use. Comodo requires a new order each time. So it is not a true renewal. Geotrust or GlobalSign store the CSR and when time for renewal simply use it and then send the validation email to client for renewal approval.

 

We would like to see a Comodo Mod and a better GlobalSign one that handles renewals so each renewal does not have to be a completely separate order if the cert was ordered through WHNMCS the first time. While GlobalSign has a renewal feature in their control panel, they did not integrate it with their WHCMS mod.

0
Link to comment
Share on other sites
  • 2 weeks later...
hostcr Junior Member

hostcr

Posted
Posted

There is no way in the clients account to manage the SSL.

 

Currently you are only able to process an SSL certificate using the WHMCS generated email with the configuration link.

 

It is necessary to re-key and re-issue a certificate. I would like to see this functionality.

 

-mike

0
Link to comment
Share on other sites
Roger Senior Member

Roger

Posted
Posted

Definitely +1 for Comodo.

 

Talking with a Partner Account Manager from Comodo last week. First question I asked was had they considered producing a module for WHMCS.

 

This is the response I got - "We’re actually in the final stages of development, so you can expect to see a beta version very shortly."

 

So maybe there will be some help on the horizon for us Comodo resellers.

 

-Roger

0
Link to comment
Share on other sites
  • 2 weeks later...
  • 3 weeks later...
  • 2 weeks later...
  • 4 weeks later...
  • 1 month later...
  • 11 months later...
disgruntled Senior Member

disgruntled

Posted
Posted

I understand this is old stuff but i am assuming you are still taking requests on this.

 

Consider creating the Key and the CSR from the user supplied information in WHMCS this would eliminate any copy and paste issues with the CSR, you could then immediately submit the CSR to the issuer with all the details.

 

Have the client confirm all information is filled out correctly before submitting it. this would go some way towards fully automating the sales of SSL.

 

If it required some validation before submitting then you put a hold on it while admin perform their tasks, at this point you have everything you need from the client. until admin request any documents, so as far as WHMCS goes, its just an order being processed.

 

The returned certificates could also be automatically installed onto the clients hosting where the host receives the certs obviously each issuer provides the certs in different ways, but i suspect if you were to contact some of them they may look into finding a way to integrate more fully for an end to end automated system. as long as the host agrees their conditions which we have to do anyway. If the client receives it, whmcs job is done. Except for putting in some sort of tracking to provide a way to remind clients that their SSL is due to expire.

 

SSL automation in this way, will put less load on their system due to reissues when a client gets the information wrong and less support requests to them.

 

Essay over, i think i make no sense lol

0
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept