I often have to work with SSL Certificates on behalf of my clients – advising on which to purchase, generating keys and certificate signing requests (CSRs), installing the certificates and trying to figure out what on earth I’m meant to be doing with the CA bundles. So I decided that, for the benefit of humankind (or at least any frustrated sysadmins that happen to stumble across this blog) I’d go through the process step by step. Please not that these are the steps that have worked for me, but server environments can vary so I’m not guaranteeing this will work for everyone.
- ‘Essential Security’ certificates are the cheapest you’ll find and, while they let you have legitimate HTTPS traffic, they aren’t great for security. There are little or no checks done against the site and they are usually signed by the guys you buy them from, rather than a trusted authority.
- ‘Trusted’ certificates generally have extra checks and are signed by a trusted authority such as Verisign, Comodo or GlobalSign
- ‘Extra Authentication’ certificates will usually include checks on the business registering the certificate, which will give customers greater confidence in the site.
- ‘Extended Validation’ or EV certificates have checks that follow the most rigorous guidelines, and will allow the browser to show a green address bar, along with the standard padlock symbol.
The following is information on creating keys and certificate signing requests with openssl under linux.
Generating a Key
openssl genrsa -des3 -out www.johnmain.co.uk.key 2048
Omit the ‘-des3′ flag if you don’t want to include a passphrase. Passphrases are worth having if you think anyone else might gain access to your certificate files, but my feeling is that on a secure server with tight access control, there is little danger in leaving it out. If anyone can gain access to your server to access these files then you have much bigger problems to deal with!
Your keys should always be at least 2048 bits long for maximum security. If an authority asks for less then I’d be very cautious about using them.
Generating a Certificate Signing Request (CSR)
openssl req -new -key www.johnmain.co.uk.key -out www.johnmain.co.uk.csr
This command will prompt you to provide the following information:
- Country Name (2 letter code)
- State or Province Name (full name)
- Locality Name (eg, city)
- Organization Name (eg, company) – This is very important if you want extra checks or extended validation
- Organizational Unit Name – This can be left blank
- Common Name – This is the full domain name the certificate will be used for (without the https:// bit) e.g. www.johnmain.co.uk
- Email Address – Leave blank
- A challenge password – Leave blank
- An optional company name – Leave blank
Now you’ll have your CSR ready to go. You can run the following command to double-check that you’ve entered the correct information:
openssl req -noout -text -in www.johnmain.co.uk.csr
Installing the Certificate
You’ll find a lot of long-winded and technical descriptions of installation procedures online, but assuming the certificate is right, it’s just a case of putting it, your CA bundle and your key in the right place and then editing your vhost configuration file to attach them to your domain. For example, under Apache, if your certificates live in /etc/ssl/certs and your keys live in /etc/ssl/private you would need to add the following to your vhost configuration:
SSLEngine on SSLCertificateFile /etc/ssl/certs/www.johnmain.co.uk.crt SSLCertificateKeyFile /etc/ssl/private/www.johnmain.co.uk.key SSLCertificateChainFile /etc/ssl/certs/www.johnmain.co.uk.ca-bundle
Your vhost configuration will likely be under /etc/apache2/sites-enabled or /etc/httpd/conf/extra or within the main httpd.conf file.
The CA bundle should be provided along with your certificate, or alternatively your provider might have a standard one available via their website. You don’t really need to worry about what they are, so long as you can obtain a copy and install as above.
Once the installation is complete you should be able to restart your webserver and see the SSL certificate working its magic on your site.