How To Add an SSL Certificate to your Web Server

Enhance the security of your website with an SSL certificate.

“If my doctor told me I had only six minutes to live, I wouldn’t brood. I’d type a little faster.” ― Isaac Asimov

1. Introduction

Do you currently run a web server? If so, you need to support HTTPS by adding an SSL (Secure Sockets Layer) certificate to your server. Not only is it good for the security of your customers, it is also good for your website’s positioning in Google (SEO).

In this article, we show you how to add an SSL certificate to a web server.

2. Preparation

We assume you have a server host on which a web server (such as Apache or NGINX) is already running, and you want to SSL-enable it. We also assume you can open a console to your web server and are capable and comfortable running Linux commands on the server as the root user.

First, you should install openssl on the server. You can use the version of openssl provided by your server distribution. For example, on Ubuntu, run the following command as root.

apt-get install openssl

3. Creating an RSA Private Key

The first step is to generate an RSA private key. The RSA private key is used to sign the CSR (Certificate Signing Request). The CSR is a document that outlines the information that you want authenticated. It is generated from information you provide, and sent to the SSL Certificate provider. It is signed with the private key.

It is recommended that you generate a new RSA key whenever you buy a new SSL certificate or renew an existing one.

Here is how you can generate an RSA private key of 2048 bits. The key is not protected with a password so you should physically safeguard this key. One option is to copy it to an USB key and delete the key from the server. And keep the USB device safe.

openssl genrsa -out example.com.key 2048

To protect the private key with a password, you can use Triple-DES or IDEA encryption. The following command uses Triple-DES:

openssl genrsa -des3 -out example.com.key 2048

And if you want to use IDEA, do it as follows:

openssl genrsa -idea -out example.com.key 2048

When encrypting the private key, current practice recommends using 3DES for encrypting it.

Note:

When you encrypt the private key, this means you will need to enter the password at server startup. This is slightly inconvenient. Imagine waking up at 3:00AM because the server rebooted and is waiting for the password! For this reason, you can skip encrypting the private key and protect it from theft by storing it securely. Or you can encrypt the key now and remove the encryption later (described below) when installing into the server.

4. Initializing the CSR (Certificate Signing Request)

The next step in the creation of an SSL certificate is to create a Certificate Signing Request. This is a request to the SSL issuer to issue a certificate, and it is signed using the RSA private key created above.

First you should create an openssl config file in the format described below. This text file is provided as input to the openssl command, and it contains the parameters of the certificate you want signed. Enter the value to the following parameters, one per line (exact format below).

  • Country Name: two-character ISO country code. e.g. US, FR or whatever. Find yours here.
  • State or Province Name in full e.g. California or Florida
  • Locality Name. This is the name of the city or town (or village if you live in the boondocks) e.g. San Francisco.
  • Organization Name. This is the name of the company making the request. Enter “Individual” if you are requesting the certificate for yourself.
  • Organizational Unit Name. Enter an unit name, maybe a department name if you have one. e.g. Web
  • Common Name. This is the most important component of the request. You need to enter the domain name here. e.g. example.com or www.example.com. You should enter example.com, if you plan to add a redirect from www.example.com to example.com. And vice versa. Pick whatever you like and stick with it (example.com or www.example.com).
  • Email Address. Enter the email address of someone responsible for the domain. You can enter your domain’s Tech Contact or Admin Contact here. e.g. admin@example.com.
  • For the extra attributes such as a challenge password or company name, you can enter a blank line each.

When you run the openssl command to generate a certificate request, it prompts you for these values on the console. You can enter the values directly in the console, but we recommend storing these values in a config file so you can re-use it if necessary.

Here is a sample config file which lists the above attributes. It should be in text format. (Of course, enter your own values for the parameters.)

example.com.conf:

[req]
distinguished_name = req_distinguished_name
prompt = no

[ req_distinguished_name ]
C = US
ST = CA
L = San Francisco
O = Example Company, Inc.
OU = Web
CN = www.example.com
emailAddress = admin@example.com

We shall now use this file along with the RSA private key (generated above) to create the CSR. If you used a password above to protect the private key, the following command will ask for it.

openssl req -new -key example.com.key -out example.com.csr -config example.com.conf

The CSR (example.com.csr) is generated and looks something like this:

-----BEGIN CERTIFICATE REQUEST-----
MIIC4jCCAcoCAQAwgZwxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UE
BxMNU2FuIEZyYW5jaXNjbzEeMBwGA1UEChMVRXhhbXBsZSBDb21wYW55LCBJbmMu
MQwwCgYDVQQLEwNXZWIxGDAWBgNVBAMTD3d3dy5leGFtcGxlLmNvbTEgMB4GCSqG
SIb3DQEJARYRYWRtaW5AZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDPMUqqvVVqmVr25qhaPCzUpnzbhzG8NoN3ps6DA1NnFbGd34/B
CgV77bzNbwdrnYb92QAuJB+a1ZjrOdv6fUYiXUi5eiOWXnsjpMtqGmv0Om62XELV
THYqjMU5xbiiAzfB4Yqg1BMxv1lyAb427fNTFqqCpjk5lS9yuIEdGcXCGzOVVdsn
1Ojl8FcnD4s9a7J46ZyPaSDSUL4dXHRXSRvSbf3erGSYJDyX4WV2I56Yy46fTW7l
mgLjlEubmo/lbtl5ppHqc4Ex7ttgrkU/VdivB4koRwHbse4XnVemy20KGS2NYtbB
kv1WW1EG3RTA9/x1akoJuLrQ/BYqnX4rYG/RAgMBAAGgADANBgkqhkiG9w0BAQUF
AAOCAQEAi4XXcxzaXPwC2M0Ea1aOXn7lQLHa5jGapoJIZvjTYpwreww4StWh9Qgb
4rizv0xj5eM5bHZTWMISWkx9k9wAPgOKQXIu6gYAdJup4KhQRL/AzV8/lRmWwYMI
0VjY8NDQqrONFrS3lJBpNsnaVcQ0ibDLQ4ojaHagfIXaopKtfu5TLFjp0L0qen3C
duNZAZsjcGWCj/bxKFlGp+YxTyFL1ThKRHoAm5W67zhv28ZoWIRr7Q+ENLxLTBTa
2y5rrBdoMOJPjA7kq+X8ZaWSpGfSs2dlFsBlOo34SUcEtvFtYAMJF4emV1Isu2ru
lBPyrMulNw0VY4XpX1/LBTotKV28hw==
-----END CERTIFICATE REQUEST-----

Let us now verify that the CSR contains what we want it to contain, shall we? Run the following command and check the output.

openssl req -text -verify -in example.com.csr

Look for the Subject: line. It should show something like:

...
        Subject: C=US, ST=CA, L=San Francisco, O=Example Company, Inc., OU=Web, CN=www.example.com/emailAddress=admin@example.com
...

And this file, example.com.csr can be sent to the SSL certificate provider for generating the certificate.

4. CSR Verification

Once the SSL certificate provider receives the CSR, they will verify the informaton submitted in the request.

For Domain Validated certificates, this involves verifying that the requester (you) has control over the domain specified in the Common Name field. To accomplish this, they might request you to place a specific named file at a particular URL on the server. Or they might ask you to click a link in an email sent to an address on that server.

An Extended Validation certificate is issued only after they conduct rigorous background checks on the company according to the guidelines laid out by the Certificate Authority/Browser (CA/B) Forum. Thus verification methods might be different for the various kinds of certificates.

Once the verification is complete, you will receive your SSL certificate.

Review

In this article, we covered the basics of how to create an RSA key and a CSR (Certificate Signing Request) for obtaining an SSL certificate. The CSR must be sent to a certifying authority (such as an SSL certificate provider) to perform verification. Following this, they will send you your certificate. In the next article, we cover how to install the certificate into your Apache web server or an Nginx web server

Leave a Reply

Your email address will not be published. Required fields are marked *