Jordan Savant # Software Engineer

Install SSL Certificates

In this guide I will be using ssls.com certificate vendor which uses Comodo (Sectigo) as the Certificate Authority. I will use acme.com as the sample domain.

In this process there can be up to five files that are used to get us there:

.well-known/pki-validation/RANDOMSTRING.txt
acme_com.pem OR acme_com.key
acme_com.csr
acme_com.crt
acme_com.ca-bundle

1. Purchase SSL Certificate

Using ssls.com as an example create an account and purchase an SSL certificate fitting your domain needs.

They generally fall into 1 of 3 categories:

  • Single Domain certificates
  • Wildcard Domain certificates
  • Multi-Domain certificates

Purchasing an Extended Validation (EV) Certificate will give you the green bar in the browser url. The catch is you have to prove you are the legal entity of the domain being certified. This involves verification by the Certificate Authority to establish the business is legitimate, has control over the domain and get legal documents signed by any developer requesting the certificate on behalf of the owner.

It's a PIA, so just do simple SSL if you can.

2. Generate the Private Key and CSR Files

In the case of ssls.com purchases you will continue and move into their Activation process. You will provide the domains it will be activated against. In this example acme.com and www.acme.com.

From here you can generate the private key two ways: in browser or on the server (or command line).

In Browser Key Generation

Provider ssls.com can generate your private key for you within the browser (it is not generated on their servers). You can download the .zip file that contains only a .key file that is the private key you will need on your server.

Server Key Generation (Recommended)

Optionally and usually required by a lot of other vendors is to generate your private key file on the server. This can be done using one of the commands below.

It will produce two files: the private key file you should not share, and a CSR file you will provide the vendor which will be given to the Certificate Authority to generate your SSL Certificate.

I recommend this method so we have the key-pair used to generate the SSL certificate. Using the browser only method does not provide us with the CSR given to the Certificate Authority.

We may be able to regenerate it but I am not sure of the commands to do that.

Recommended: OpenSSL RSA

openssl req -new -newkey rsa:2048 -nodes -keyout acme_com.pem -out acme_com.csr -subj /CN=acme.com

Generating a 2048 bit RSA private key
...................................................................................................................................+++
........................+++
# produces two files:
acme_com.csr
acme_com.pem

Other Method: OpenSSL ECC

openssl ecparam -genkey -name secp384r1 | openssl ec -out acme_com.key; openssl req -new -key acme_com.key -out acme_com.csr -subj /CN=acme.com


Other Method: Windows RSA

echo [NewRequest] > acme_com.inf
echo Subject = "CN=acme.com" >> acme_com.inf
echo KeyAlgorithm = ECDSA_P384 >> acme_com.inf
echo Exportable = TRUE >> acme_com.inf
echo MachineKeySet = TRUE >> acme_com.inf
echo SMIME = False >> acme_com.inf
echo PrivateKeyArchive = FALSE >> acme_com.inf
echo UserProtected = FALSE >> acme_com.inf
echo UseExistingKeySet = FALSE >> acme_com.inf
echo ProviderName = "Microsoft Software Key Storage Provider" >> acme_com.inf
echo ProviderType = 12 >> acme_com.inf
echo RequestType = PKCS10 >> acme_com.inf
echo KeyUsage = 0xa0 >> acme_com.inf
echo HashAlgorithm = sha256 >> acme_com.inf
cmd /c "certreq -new acme_com.inf acme_com.csr
type acme_com.csr

Other Method: Windows ECC

echo [NewRequest] > acme_com.inf
echo Subject = "CN=acme.com" >> acme_com.inf
echo KeySpec = 1 >> acme_com.inf
echo KeyLength = 2048 >> acme_com.inf
echo Exportable = TRUE >> acme_com.inf
echo MachineKeySet = TRUE >> acme_com.inf
echo SMIME = False >> acme_com.inf
echo PrivateKeyArchive = FALSE >> acme_com.inf
echo UserProtected = FALSE >> acme_com.inf
echo UseExistingKeySet = FALSE >> acme_com.inf
echo ProviderName = "Microsoft RSA SChannel Cryptographic Provider >> acme_com.inf
echo ProviderType = 12 >> acme_com.inf
echo RequestType = PKCS10 >> acme_com.inf
echo KeyUsage = 0xa0 >> acme_com.inf
echo HashAlgorithm = sha256 >> acme_com.inf
cmd /c "certreq -new acme_com.inf acme_com.csr
type acme_com.csr

Question: What is the PEM or Private Key File?

The generated private key file is used on the server when receiving requests over HTTPS. It uses this in conjunction with the keys of the Certificate Authority and the connecting client to encrypt and decrypt data.

Do not provide this to others. If it gets out it is a security risk.

Question: What is the CSR File?

Known as a Certificate Signing Request file, this file contains the public key generated by the server that connects to the generated private key. It also contains information about the country, organization and other details.

This CSR file and the Private Key file are the key-pair.

This file is given to the Certificate Authority. The Certificate Authority uses this CSR file to create the SSL Certificate.

The CSR only works with its partner private key. If either is lost the other is not usable.

You can decode a CSR file with openssl req -in acme_com.csr -noout -text to see whats inside.

3. Validate Domain Ownership/Access

Provider ssls.com and its Certificate Authority Comodo requires that the domain be validated that you have access to it. You can do this through one of three ways:

  • Upload a validation file to the server hosting the domain being certified
  • Validate through an email attached to the whois of the domain
  • Validate with DNS (requires communication with ssls customer service)

We opt for validation files because we usually host the site.

Upload Validation

A validation file will be generated that you can download. It will be requested this be put in a web-accessible location hosting the domain:

Example of the file provided was: 2FAEBAABE6C2064409AD40931BEC78C1.txt

The contents of the file is: 159BD060C57270FDB2D4B92AF7EA16AFD13135CEA4CC0E7B6B7F7BD90B5A3DA4 comodoca.com 5c83b351e04d8

Follow the provided instructions, but it will likely be to place the file at this location:

.well-known/pki-validation/2FAEBAABE6C2064409AD40931BEC78C1.txt

So that it is accessible via HTTP at

http://acme.com/.well-known/pki-validation/2FAEBAABE6C2064409AD40931BEC78C1.txt

4. Retrieve Certificate Files

Once the domain has been validated the Certificate Files will be emailed to the email provided in the activation process. This email contains a zip with the following files:

acme_com.ca-bundle
acme_com.crt

Upload these to the server hosting the website.

Question: What is the crt file?

The .crt file provided by the Certificate Authority is the SSL certificate that will be used to establish the HTTPS connection. This file is provided to the browser and contains the public key and Certificate Authority information such as the CA's signature.

Question: What is the ca-bundle file?

The bundle file contains the root Certificate Authority certificate and all intermediate certificates. A root certificate is usually embedded in browsers and other tools that establish HTTPS connections. These devices trust the CA certificates embedded in them and thats how the trust is established with your end user CRT file. The Root Certificate and the Intermediate Certificates form the Chain of Trust.

Intermediate certificates act as a stand in for Root certificates. If there was a security event related to the generation of a certificate the private key of the Root CA would be distrusted. So CA's insulate themselves from end user certificates by signing Intermediate Certificates which then sign end user certificates.

This bundle file is that chain of it being signed so that a browser can trace the certificate signing back to a trusted Root CA stored within it.

It is possible that the certificate chain of root to intermediates is not bundled for you. In this case you need to bundle them by appending them to a single file in the proper order.

  • Certificate for your domain name should go first
  • Intermediate certificates should follow it
  • Last certificate in the chain should be the root one
  • e.g. cat acme_com.crt intermediate.crt root.crt > acme_com.ca-bundle

5. Install Certificates and enable SSL connections (Apache)

Once we have our private key file (.pem or .key), the certificate file (.crt) and the bundle file (.ca-bundle) we can get the HTTPS connections established in Apache.

Enable the SSL Module

Usually its not been enabled so you can enable it easily enough by:

$ sudo a2enmod ssl
$ sudo service apache2 restart

Update the Virtual Hosts

Here is an example Virual Host file that would be used to redirect all HTTP traffic to HTTPS and allow for HTTPS traffic:

<VirtualHost *:80>
    ServerName  acme.com
    ServerAlias www.acme.com
    Redirect 301 / https://www.acme.com/
</VirtualHost>
<VirtualHost *:443>
    ServerName www.acme.com
    ServerAlias acme.com

    DocumentRoot /home/wwwgeneral/sites/acme_website

    SSLEngine on
    SSLCertificateFile /home/wwwgeneral/acme_com.crt
    SSLCertificateKeyFile /home/wwwgeneral/acme_com.pem
    SSLCertificateChainFile /home/wwwgeneral/acme_com.ca-bundle

    <Directory /home/wwwgeneral/sites/acme_website>
        Options -Indexes +FollowSymLinks +MultiViews
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>

Test and restart apache:

$ sudo apachectl configtest
$ sudo service apache2 restart
  • SSLCertificateFile is the certificate file given to use by the Certificate Authority
  • SSLCertificateKeyFile is our private key file
  • SSLCertificateChainFile is the bundle chain file (this has been deprecated in Apache > 2.4.8
    • Apparently Apache version 2.4.8 and greater deprecates the SSLCertificateChainFile
    • I think you can combine the bundle file and the crt file into one file and serve it under SSLCertificateFile
    • cat domain.crt domain-ca.crt > bundle.crt
    • I avoid this as long as the SSLCertificateChainFile still works