If you're ordering a SSL setup from us, we will take care of everything. If you prefer to purchase a SSL certificate elsewhere for whatever reason, they will likely require a CSR request file from you. You can generate such yourself on the server you're hosted on. Also, if you just want to use a self-signed certificate, you can, too, do it yourself. The following example assumes that you want www.mycompany.com covered.
First, generate a private key, 2048 bits long (for best security):
seymour:~ # openssl genrsa -out www.mycompany.com.key 2048 Generating RSA private key, 2048 bit long modulus .................................................................................+++ ......+++ e is 65537 (0x10001)
Use the key generated above to make a self-signed certificate:
seymour:~ # openssl req -new -days 365 -x509 -key www.mycompany.com.key -out www.mycompany.crt You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Colorado Locality Name (eg, city) []:Boulder Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company LLC Organizational Unit Name (eg, section) []:. Common Name (eg, YOUR name) []:www.mycompany.com Email Address []:.
Note the dots entered for some of the fields - use them whenever you do not want to provide any value. The fields can be filled in as needed. The part that is critical is the Common Name field. This has to match the hostname you want to protect (e.g. mycompany.com, www.mycompany.com or secure.mycompany.com). To generate a CSR for a wildcard certificate, use a *.mycompany.com string.
The resulting file contains a self-signed certificate that you can start to use (in pair with the private key above).
Compared to a self-signed certificate, a certificate signed by a recognized authority will appear secure to all visitors and will not trigger any warnings about not being trusted. Again, use the key generated above and generate a CSR request file:
seymour:~ # openssl req -new -key www.mycompany.com.key -out www.mycompany.com.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Colorado Locality Name (eg, city) []:Boulder Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company LLC Organizational Unit Name (eg, section) []:. Common Name (eg, YOUR name) []:www.mycompany.com Email Address []:. Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:. An optional company name []:.
Note the dots entered for some of the fields. Do not enter anything but a dot for the last two fields. The others can be filled in as needed (very often the SSL authority will override your identity with their generic data, especially for the inexpensive SSL certificates). The part that is critical is the Common Name field. This has to match the hostname you want to protect (e.g. mycompany.com, www.mycompany.com or secure.mycompany.com). To generate a CSR for a wildcard certificate, use a *.mycompany.com string.
There will be now two files in the directory you were in, www.mycompany.com.key and www.mycompany.com.csr. Take the .csr file and give it to the SSL authority/provider you're purchasing from. Note that it's just a plain text file with fixed line length, so you can just print it out (cat www.mycompany.com.csr), copy and paste elsewhere.
The SSL authority should provide you with a corresponding certificate file (typically having a .crt extension). This goes hand in hand with the private key file, so you should make sure you do not loose either of those. The .csr file is not needed for web site operation, but it's convenient to keep it, because you can re-use it for SSL renewal.
Once you have all, contact us to have it installed (and have your site put on a dedicated IP if it wasn't done yet).