In the previous post How SSL works, we learned what the private key and the certificate are and how they can secure our website connection. Now it's time to get a pair. These are the steps needed:
1. Generate a private key
2. Generate a Certificate Signing Request (CSR)
3. Get a certificate
Currently, the easiest and most secure method to generate a private key and CSR is on a Linux machine. All you need is the openssl library. Run this command to ensure it's installed.
yum install openssl
Generate private key
The following command will generate a 2048 bit long private key and write it to a file named example.com.key.
openssl genrsa -out example.com.key 2048
Generate Certificate Signing Request (CSR)
The following command will create a file named example.com.csr containing your Certificate Signing Request using the key created in the previous step.
openssl req -new -sha256 -key example.com.key -out example.com.csr
During the file creation, you will be requested to enter some information. Here is an example:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) :New York Locality Name (eg, city) [Default City]:New York City Organization Name (eg, company) [Default Company Ltd]:My Company Ltd Organizational Unit Name (eg, section) :IT Common Name (eg, your name or your server's hostname) :www.example.com Email Address :email@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
The Common Name field is the place where you must enter the domain name you want to secure. The typical values are www.example.com and *.example.com.
When requested for a password just press enter to leave the field blank.
When created, this file will contain the public key and the information you've entered.
Get the certificate
If you plan to use the certificate only for developer purposes you can sign it yourself for free. This types of certificates trigger warnings in the browsers, so they are not a valid solution for public websites. The following command will generate a self-signed certificate in a file named example.com.crt that will be valid for 365 days.
openssl req -x509 -days 365 -in example.com.csr -key example.com.key -out example.com.crt
If you need to secure a public website, you must find a Certificate Authority to issue (sign with their private key) a certificate that can be validated by the browsers. This is a paid service, and here are some popular authorities: NameCheap, Comodo, DigiCert. They all offer different validation options. The most common and cheap one is the domain validation option. With this type of validation, you usually get a certificate within minutes, and all you must do is verify domain ownership.
Usually, these are the steps for domain validation only certificates:
1. You choose the certificate type (single domain, unlimited subdomains, etc.) and make a payment.
2. You fill a small form with the domain name and the content of your CSR file.
3. They send you a confirmation email at one of the following email addresses: firstname.lastname@example.org, email@example.com or other listed in the domain's WHOIS data.
4. You open the email and click a confirmation link.
5. Soon you receive another email containing your certificate and some other CA certificates called intermediate.
In the next post, we'll learn how to use the private key, the certificate, and the intermediate certificates to secure a website running on Apache.