How to generate / request an SSL certificate

Generating an SSL certificate can be confusing if you've never done it before. Actually, it's confusing if you have done it before. Hopefully this should remind me how to do it in the future!

PLEASE NOTE: I am no expert on SSL, but this does the job for me.

I recently had to do this after the Debian security vulnerability affected one of my SSL certificates.

I currently get my SSL cerficiates through NameCheap for $10. They are re-sellers of RapidSSL and GeoTrust certificates. Mine is a RapidSSL.

Generate a private key and Certificate Signing Request

We need to generate an OpenSSL keypair and a Certificate Signing Request (CSR).

The keypair consists of two cryptographic keys. A public and private. The public key is included with the CSR along with other applicant information such as name, company, etc. The private key is used to sign the CSR request.

A CSR is what you send to your chosen Certificate Authority (CA) to request that they supply you with an SSL certificate. It includes your identifying information and the public key for your server/site.

Generate it like this.

1
openssl req -new -newkey rsa:1024 -nodes -keyout example.key -out example.csr

You'll be prompted to enter information such as Common Name, Organisation, Country etc.

It should be fairly straight forward, but your CA will let you know if you've done it wrong, I'm sure.

This will create example.key (the private key) and example.csr (the CSR).

Requesting your certificate

This part should be easy. Normally your CA will have a form on their website which allows you to paste in your CSR. This obviously varies from company to company. Once you have given them your CSR, they will first ask you for money, and then generate your CRT file. Yay!

I'm only scratching the surface of SSL here. OpenSSL has a massive amount of options. There is much to learn.

References