Monday, March 18, 2013

How do I get and install a trusted SSL cert on a linux machine?

It starts with understand the basic pieces of the puzzle.

In SSL there's a concept of a "key pair". A "key pair" is composed of a "private key" and a matching "certificate signing request".

So, to get started, you need to create a private key. Yup, it's all you and it's as simple as running a single command. The private key is created via:
openssl genrsa -out www.yourdomain-example.com.key 2048
Then, after you've created your private key, you can proceed to creating your certificate signing request. Your "CSR" is created via:
openssl req -new -key www.yourdomain-example.com.key -out www.yourdomain-example.com.csr
This is the point in the process where you load your SSL cert with info about your company. You can read the following article if you have questions about what to enter for each prompt: https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR876

A public/private key pair has now been created. The private key (www.yourdomain-example.com.key) is stored locally on the server machine and is used for decryption. The public portion, in the form of a Certificate Signing Request (www.yourdomain-example.com.csr), will be used for certificate enrollment. System admins need to submit their www.yourdomain-example.com.csr files to a "trusted" signing authority such as VeriSign or GeoTrust. The trusted source will then respond with a related "public key". Information encrypted with a public key can only be decrypted with the corresponding private key, and vice-versa.

Okay cool, that makes sense and all but I've heard that intermediate certificates are involved too… What gives? Well, first things first, we should establish the purpose of an intermediate certificate. The purpose of an intermediate certificate is to provide maximum browser and server coverage to ensure visitors won't receive "invalid SSL" warnings when they visit your site. The "trusted sources" intermediate certificate bundle "chains" your SSL certificate to their trusted root certificates, letting your certificate secure connections with older browsers that might have only an old root certificate installed. So yes, you should be getting an intermediate certificate from your chosen certificate signing authority.

Installation of the cert depends on your web server software. Checkout the following GoDaddy support article that does a great job of describing how to install the cert depending on the web sever software you're working with here: http://support.godaddy.com/help/article/5346/installing-an-ssl-server-instructions?locale=en

No comments:

Post a Comment

About Me

My photo
I code. I figured I should start a blog that keeps track of the many questions and answers that are asked and answered along the way. The name of my blog is "One Q, One A". The name describes the format. When searching for an answer to a problem, I typically have to visit more than one site to get enough information to solve the issue at hand. I always end up on stackoverflow.com, quora.com, random blogs, etc before the answer is obtained. In my blog, each post will consist of one question and one answer. All the noise encountered along the way will be omitted.