How to Enable and Enforce SSL in Your Store

Avatar
Will Strohl

Overview

With all of the recent security standards and exploits, it's important to ensure that your website is as protected as possible.  This is not only because PCI DSS requires this, but it also protects your most important online asset, your website.  Even if you're not accepting payments online at this time, you're still accountable for the protection of private information sent using your contact forms.  Securing your website also has a positive impact on your SEO strategy.

Requirements

The following prerequisites will be necessary to accomplish the goals of this article:

  • Have a basic understanding of how SSL works, at a high level
  • Have superuser access to your website
  • Be comfortable and/or familiar with executing SQL commands
  • Have a valid SSL certificate already installed and enabled in your store

Getting Started

It's very important that you ensure that a valid SSL certificate is already installed and enabled.  If this isn't done, it's possible that you can make your website appear to be inaccessible to all visitors using the steps below.

These instructions apply to your website if it's running version 08.00.04 and earlier.  If you're running 09.00.00 or newer, these steps will be much different.

The order of securing and then enabling/enforcing SSL seen below is intentional.  You can perform these steps in either order, but the order suggested below can reduce the appearance of website downtime in many instances.

Enable SSL on All Pages

Before you can enforce SSL to be used on your website, you first need to make sure all pages on your website are enabled to use SSL.  This can be done two ways, both of which are outlined below.

Enable SSL Page by Page

Once you're logged in with an authorized user account, you can individually update each page on your site.  If you only have a few pages to update or are uncomfortable with SQL commands, this may be your preferred method.  Otherwise, the SQL method below is much more expedient.

First, navigate to a page that is not secured.  Choose to edit the Page Settings.

page-ssl-01.png

When the Page Settings load, choose the Advanced Settings tab, then expand the Other Settings section.

page-ssl-02.png

Find the setting labeled "Secure?" and check the checkbox.  In some instances, this will appear to be disabled, and this is because the website is not enabled to be secured by SSL in the Site Settings yet.

page-ssl-03.png

Now that the webpage is marked as secure, simply click the Update Page button at the bottom of the page to save your update. 

You'll want to repeat these steps for every unsecured page on your website.  If you leave any webpages unsecured, this creates a security exploit on your website.

Enable SSL Site-Wide Using SQL

This method of securing pages is much faster than the previous steps, but it also requires a little bit of familiarity and comfort with using the SQL language and editor.

Navigate to the SQL feature in the Host menu as shown below.

sql-page-ssl-01.png

Now, you'll want to execute the following command to update all web pages on your website to request the SSL version of their URL.  Simply enter it into the editor as shown below, then click the Run Script button to run the query.

sql-page-ssl-02.png

The query is listed again below for your copy/paste convenience.

UPDATE {databaseOwner}[{objectQualifier}Tabs] SET [IsSecure] = 1;

The query should not experience any errors, and if that's the case, you'll see a success message like the one below.

sql-page-ssl-03.png

Enforce SSL Using Site Settings

First, you'll need to navigate to the Site Settings for your website.  If you're on a DNN instance that has multiple websites in it, you must ensure that you are currently viewing the correct one using the correct domain name. The image below illustrates how to get to the Site Settings view.

enforce-ssl-01.png

Next, you'll want to go to the Advanced Settings tab, then expand the SSL Settings section.

enforce-ssl-02.png

Find the SSL settings shown below, and check them both to ensure the SSL is both enabled and it's enforced.  Once you do, click the Update button at the bottom of the page to save your changes.

enforce-ssl-03.png

Recycle/Restart Your Application

At this point, you've set all pages to be secure.  You've also enabled and chosen to enforce SSL to be used on all page requests.  Depending on the order and method(s) that you've used to get to this point, it may be necessary to restart your application to see these changes take their desired effect.

If you want to do this using your website, ensure you're still logged in as a superuser, then choose to Restart Application, as shown below.

recycle-website-01.png

There won't be any messages shown, but the website will attempt to reload.  This first page load will take longer than usual, and this is expected.  Once it reloads, all of your pages - including the current one - will load securely using SSL.

You can also do this using IIS or even a command prompt.  Those instructions are beyond the scope of this support article.  If you're a current support customer, we'd be happy to walk you through that via a support request.

Have more questions? Submit a request

Need More Help?

Do you need more assistance with this article? Please review your support options.