Install SSL Certificates
In this guide I will be using ssls.com certificate vendor which uses Comodo (Sectigo) as the Certificate Authority. I will use
acme.com as the sample domain.
In this process there can be up to five files that are used to get us there:
.well-known/pki-validation/RANDOMSTRING.txt acme_com.pem OR acme_com.key acme_com.csr acme_com.crt acme_com.ca-bundle
1. Purchase SSL Certificate
Using ssls.com as an example create an account and purchase an SSL certificate fitting your domain needs.
They generally fall into 1 of 3 categories:
- Single Domain certificates
- Wildcard Domain certificates
- Multi-Domain certificates
Purchasing an Extended Validation (EV) Certificate will give you the green bar in the browser url. The catch is you have to prove you are the legal entity of the domain being certified. This involves verification by the Certificate Authority to establish the business is legitimate, has control over the domain and get legal documents signed by any developer requesting the certificate on behalf of the owner.
It's a PIA, so just do simple SSL if you can.
2. Generate the Private Key and CSR Files
In the case of ssls.com purchases you will continue and move into their Activation process. You will provide the domains it will be activated against. In this example
From here you can generate the private key two ways: in browser or on the server (or command line).
In Browser Key Generation
Provider ssls.com can generate your private key for you within the browser (it is not generated on their servers). You can download the .zip file that contains only a
.key file that is the private key you will need on your server.
Server Key Generation (Recommended)
Optionally and usually required by a lot of other vendors is to generate your private key file on the server. This can be done using one of the commands below.
It will produce two files: the private key file you should not share, and a CSR file you will provide the vendor which will be given to the Certificate Authority to generate your SSL Certificate.
I recommend this method so we have the key-pair used to generate the SSL certificate. Using the browser only method does not provide us with the CSR given to the Certificate Authority.
We may be able to regenerate it but I am not sure of the commands to do that.
Recommended: OpenSSL RSA
openssl req -new -newkey rsa:2048 -nodes -keyout acme_com.pem -out acme_com.csr -subj /CN=acme.com
Generating a 2048 bit RSA private key ...................................................................................................................................+++ ........................+++ # produces two files: acme_com.csr acme_com.pem
Other Method: OpenSSL ECC
openssl ecparam -genkey -name secp384r1 | openssl ec -out acme_com.key; openssl req -new -key acme_com.key -out acme_com.csr -subj /CN=acme.com
Other Method: Windows RSA
echo [NewRequest] > acme_com.inf echo Subject = "CN=acme.com" >> acme_com.inf echo KeyAlgorithm = ECDSA_P384 >> acme_com.inf echo Exportable = TRUE >> acme_com.inf echo MachineKeySet = TRUE >> acme_com.inf echo SMIME = False >> acme_com.inf echo PrivateKeyArchive = FALSE >> acme_com.inf echo UserProtected = FALSE >> acme_com.inf echo UseExistingKeySet = FALSE >> acme_com.inf echo ProviderName = "Microsoft Software Key Storage Provider" >> acme_com.inf echo ProviderType = 12 >> acme_com.inf echo RequestType = PKCS10 >> acme_com.inf echo KeyUsage = 0xa0 >> acme_com.inf echo HashAlgorithm = sha256 >> acme_com.inf cmd /c "certreq -new acme_com.inf acme_com.csr type acme_com.csr
Other Method: Windows ECC
echo [NewRequest] > acme_com.inf echo Subject = "CN=acme.com" >> acme_com.inf echo KeySpec = 1 >> acme_com.inf echo KeyLength = 2048 >> acme_com.inf echo Exportable = TRUE >> acme_com.inf echo MachineKeySet = TRUE >> acme_com.inf echo SMIME = False >> acme_com.inf echo PrivateKeyArchive = FALSE >> acme_com.inf echo UserProtected = FALSE >> acme_com.inf echo UseExistingKeySet = FALSE >> acme_com.inf echo ProviderName = "Microsoft RSA SChannel Cryptographic Provider >> acme_com.inf echo ProviderType = 12 >> acme_com.inf echo RequestType = PKCS10 >> acme_com.inf echo KeyUsage = 0xa0 >> acme_com.inf echo HashAlgorithm = sha256 >> acme_com.inf cmd /c "certreq -new acme_com.inf acme_com.csr type acme_com.csr
Question: What is the PEM or Private Key File?
The generated private key file is used on the server when receiving requests over HTTPS. It uses this in conjunction with the keys of the Certificate Authority and the connecting client to encrypt and decrypt data.
Do not provide this to others. If it gets out it is a security risk.
Question: What is the CSR File?
Known as a Certificate Signing Request file, this file contains the public key generated by the server that connects to the generated private key. It also contains information about the country, organization and other details.
This CSR file and the Private Key file are the key-pair.
This file is given to the Certificate Authority. The Certificate Authority uses this CSR file to create the SSL Certificate.
The CSR only works with its partner private key. If either is lost the other is not usable.
You can decode a CSR file with
openssl req -in acme_com.csr -noout -textto see whats inside.
3. Validate Domain Ownership/Access
Provider ssls.com and its Certificate Authority Comodo requires that the domain be validated that you have access to it. You can do this through one of three ways:
- Upload a validation file to the server hosting the domain being certified
- Validate through an email attached to the whois of the domain
- Validate with DNS (requires communication with ssls customer service)
We opt for validation files because we usually host the site.
A validation file will be generated that you can download. It will be requested this be put in a web-accessible location hosting the domain:
Example of the file provided was:
The contents of the file is:
159BD060C57270FDB2D4B92AF7EA16AFD13135CEA4CC0E7B6B7F7BD90B5A3DA4 comodoca.com 5c83b351e04d8
Follow the provided instructions, but it will likely be to place the file at this location:
So that it is accessible via HTTP at
4. Retrieve Certificate Files
Once the domain has been validated the Certificate Files will be emailed to the email provided in the activation process. This email contains a zip with the following files:
Upload these to the server hosting the website.
Question: What is the crt file?
The .crt file provided by the Certificate Authority is the SSL certificate that will be used to establish the HTTPS connection. This file is provided to the browser and contains the public key and Certificate Authority information such as the CA's signature.
Question: What is the ca-bundle file?
The bundle file contains the root Certificate Authority certificate and all intermediate certificates. A root certificate is usually embedded in browsers and other tools that establish HTTPS connections. These devices trust the CA certificates embedded in them and thats how the trust is established with your end user CRT file. The Root Certificate and the Intermediate Certificates form the Chain of Trust.
Intermediate certificates act as a stand in for Root certificates. If there was a security event related to the generation of a certificate the private key of the Root CA would be distrusted. So CA's insulate themselves from end user certificates by signing Intermediate Certificates which then sign end user certificates.
This bundle file is that chain of it being signed so that a browser can trace the certificate signing back to a trusted Root CA stored within it.
It is possible that the certificate chain of root to intermediates is not bundled for you. In this case you need to bundle them by appending them to a single file in the proper order.
- Certificate for your domain name should go first
- Intermediate certificates should follow it
- Last certificate in the chain should be the root one
cat acme_com.crt intermediate.crt root.crt > acme_com.ca-bundle
5. Install Certificates and enable SSL connections (Apache)
Once we have our private key file (.pem or .key), the certificate file (.crt) and the bundle file (.ca-bundle) we can get the HTTPS connections established in Apache.
Enable the SSL Module
Usually its not been enabled so you can enable it easily enough by:
$ sudo a2enmod ssl $ sudo service apache2 restart
Update the Virtual Hosts
Here is an example Virual Host file that would be used to redirect all HTTP traffic to HTTPS and allow for HTTPS traffic:
<VirtualHost *:80> ServerName acme.com ServerAlias www.acme.com Redirect 301 / https://www.acme.com/ </VirtualHost> <VirtualHost *:443> ServerName www.acme.com ServerAlias acme.com DocumentRoot /home/wwwgeneral/sites/acme_website SSLEngine on SSLCertificateFile /home/wwwgeneral/acme_com.crt SSLCertificateKeyFile /home/wwwgeneral/acme_com.pem SSLCertificateChainFile /home/wwwgeneral/acme_com.ca-bundle <Directory /home/wwwgeneral/sites/acme_website> Options -Indexes +FollowSymLinks +MultiViews AllowOverride All Require all granted </Directory> </VirtualHost>
Test and restart apache:
$ sudo apachectl configtest $ sudo service apache2 restart
- SSLCertificateFile is the certificate file given to use by the Certificate Authority
- SSLCertificateKeyFile is our private key file
- SSLCertificateChainFile is the bundle chain file (this has been deprecated in Apache > 2.4.8
- Apparently Apache version 2.4.8 and greater deprecates the SSLCertificateChainFile
- I think you can combine the bundle file and the crt file into one file and serve it under SSLCertificateFile
cat domain.crt domain-ca.crt > bundle.crt
- I avoid this as long as the SSLCertificateChainFile still works