Getting a Certificate for your Web Server

0.00 avg. rating (0% score) - 0 votes

To communicate securely using SSL (also known as TLS or Transport Layer Security), web servers need a key pair of public and private keys. This key pair can be generated and signed by yourself, but to prevent the web browser from asking “stupid” questions about the validity of a certificate, you must pay a company, called a Certificate authority, such as Verisign, Geotrust, or Thawte, for the added simplicity. That company will then verify that you are who you are (in theory, at least) and then sign your public key with their certificate. Their certificate is already bundled with most browsers and thus trusted by default, which also makes your newly signed certificate trusted as well.

In short, the steps needed to get and install a key that is signed by a certification authority:

1. Create an a public/private key pair
2. Create a Certificate Signing Request
3. Submit your Certificate Signing Request to your Certificate Authority
4. The CA will check your identity with a method they have chosen
5. The CA will give back your certificate signed with theirs
6. Copy the key file and the certificate file to your web server
7. Configure your web server to use the new certificate

A Real World Example

Now let’s go through the steps given above with a real example. I have OpenSSL, and specifically the openssl command line tool, installed on my machine, which is nice because it is one of the best tools available for handling SSL/TLS keys and certificates. If you are running a typical Linux installation, you will most likely have it installed already.

1. Create a public/private key pair

The following command will create an RSA private key to the file specified, in this case koo.fi.key.

Remember that this file contains private information which must be kept very secret. In fact, after completing step 2, the only one who should have even read access to the file is the web server daemon.

2. Create a Certificate Signing Request

Next we will use the openssl tool again to create the signing request, which will contain some information about us, as well as the public key of the key pair. This time OpenSSL will ask us some questions about the user of the certificate. This info should be as accurate as possible, but in most cases, it doesn’t really matter what you write there. Usually the only field that has any meaning is the “Common Name” field, which should be the same as the domain name of your web server (www.yourdomain.com). Here we will use the common name koo.fi. The CSR will be output to the file koo.fi.csr.

3. Submit your Certificate Signing Request to your Certificate Authority

Now that we have one file for our private key and another one for the certificate signing request, it is time to pay a commercial CA a number of euros for signing our certificate.

I have been using RapidSSL.com, because they can provide me quite well accepted certificate quite cheaply and instantly. In fact, you don’t even have to speak to any service personnel, because the authentication telephone call is automated.

So click on the “BUY” button and answer all questions. When it is time to give the Certificate Signing Request, cut and paste the contents of your CSR file (_NOT_ the key file!).

4. The CA will check your identity with a method they have chosen

RapidSSL will give you and automated phone call. Follow instructions.

5. The CA will give back your certificate signed with theirs

In a couple of minutes you will get an e-mail containing the the certificate. Look for something like this:

Cut and paste that to a new file, mine was called koo.fi.crt. This file now contains the signed certificate.

6. Copy the key and the certificate to your web server

The last thing to do is to copy the key file and the signed certificate file (the one you got from your CA) to the web server in a location the web server will find them. I copied my certificate to:

And my private key to:

Then I changed the permissions like this:

7. Configure your web server to use the new certificate

The last step is, of course, to configure your web server to use the certificate. For Apache 2 you could add something like this to your configuration file:

What next?

The next step is, of course, running your own Certification Authority. That is somewhat of an advanced topic, but perhaps you will see an article discussing it on this site later on.

Before you go, though, you really should try the following commands on your key, signing request and certificate files:

Those will give you a readable version of the contents. That can be really handy if you’re in a hurry and forgot which file was which.

Leave a Reply