How to obtain an SSL certificate for your server
 |
A common misconception is that a (web) server certificate can only be used for a web server. Not True. The fact is, a "web server certificate" can be used to secure and protect Email servers, LDAP servers and more. |
This guide requires that you have OpenSSL installed on your computer. There are many ways to create certificates, many of them are vendor-specific. For instance, Stronghold has it's tools for this. However, most of them are just calling the relevant openssl commands. In case you are using Tomcat or Java you'll need to use keytool to manage this process.
When you are done, you will have three files.
- A key "frank.key". This is the private-key which you will want to protect at all costs. If the key is lost or compromised, this is a bad thing.
- A certificate-signing request "frank.csr". This will be given to the Certificate Authority, and they'll return to you a signed certificate. (Next)
- A certificate "frank.crt" which is like a public-key that has been signed by a Certificate Authority (CA).
Sometimes your certificate will need to have another certificate, called an intermediate certificate, added to it to make it work. This means you concatenate them together.
Note that the frank.csr is not really needed once you have received your signed certificate. Also, you should replace "frank" with the hostname of your server. If you want to get a user (S/MIME) certificate for email exchange, make sure to specify the right options.
So without further ado, here are the steps.
- Generate your private key (KEY)
- Generate your certificate signing request (CSR)
- Obtain the certificate Now that you have the CSR, you can send it to one the many certificate authorities (CAs) who will return to you a signed certificate. Choices include Credentia2, VeriSign1, Thawte1, Geotrust1, CAcert2.
- Install the certificate Once you receive your certificate, rename it to frank.crt. Copy the frank.crt and frank.key files to where they can be seen by your application. Configure your application to use them.
openssl genrsa -out frank.key 1024
-----BEGIN RSA PRIVATE KEY----- MIICXQIBAAKBgQCs9SWpThx33TD4gXYfNK/akss4fjs21K7VhTqIjMkMIYx6Hux7 wN2ED7xbMnkxuXlToQcRqq+bUfVIrpb4B76bVEueXrYc7JSYb2C4+PkYHgL623PB (...edited for brevity...) BgDJKdxulZrj+nx+STcCQQCIk8J1YyR1AKD4HTOKrVE+a+DPk+OFXoyPmPpqaLqO 0Ocwl8xVMh/pcbbRFpnNTt3n8sIO0fcTiUqUFUVL54+x -----END RSA PRIVATE KEY-----
openssl req -new -key frank.key -out frank.csr
For reference, here is what the (example) frank.csr would look like:
-----BEGIN CERTIFICATE REQUEST----- MIIBqTCCARICAQAwaTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x EDAOBgNVBAcTB1NlYXR0bGUxDTALBgNVBAoTBFRlc3QxDTALBgNVBAsTBFRlc3Qx (...edited for brevity...) 9TcY7meRquz/20ZSKw4jB6gMw+jV7nPAEgpgN+kw6D0WMDCoDoV9QwzL/GaAfqtB Jrys9jMFV6x5WX0bdixAUmdBarFF42mLAm3eHhlfAFF/eTew+DKTkKc7bK8M -----END CERTIFICATE REQUEST-----
1 an advantage of using one of these established and public CAs is browser recognition and the trust factor.
2These alternative non-public CAs will issue low-cost or free certificates, but with a lower trust factor and no automatic browser recognition. Depending on your application this may be acceptable to you. It may involve loading the CA's certificate into your computer's "Trusted Root Certificates" store.
A third option is to run your own private CA (see here) if you like. Consider software like XCA, tinyCA or openca to manage this function.
One way or another you must have a signed certificate which vouches for your identity too some degree. It is the public-key side of the key pair, and can be published to anyone without any concern for compromise.
Congratulations! You have now secured your server!
See Also...
- OpenSSL Frequently Asked Questions
- SSL Review - a comparison of various Certificate Authorities
©2003-2009 Credentia, All Rights Reserved