Changes between Version 3 and Version 4 of faq/security/get-certificate


Ignore:
Timestamp:
Jul 26, 2010, 3:31:28 PM (15 years ago)
Author:
Jamie McClelland
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • faq/security/get-certificate

    v3 v4  
    99== Generating the key and signing request ==
    1010
    11 Before you can get a security certificate attesting that you are who you say you are, you will need to generate two files:
     11Before you can get a security certificate attesting that you are who you say you are, you will need to two files:
    1212
    1313 * The private key is the file with the secret material that should only be accessible to the web server hosting your site
    1414 * The certificate signing request is the non-confidential file generated based on your private key that you submit to a certificate authority
    1515
    16 Then, you will need to submit your certificate signing request to a certificate authority, such as [http://rapidssl.com RapidSSL] or [http://cacert.org cacert]. RapidSSL costs $79 per certificate and can generate a certificate for you that will be accepted by nearly all browsers on the planet. cacert will generate a certificate for free but users will need to import the cacert root certificate or they will get errors. We have a [ticket:1706 raging debate] about which approach is the best to take.
     16Then, you will need to submit your certificate signing request to a certificate authority, such as [http://startssl.com StartSSL], [http://rapidssl.com RapidSSL] or [http://cacert.org cacert]. I've never tried StartSSL, but they will provide certificates for free that they claim work in all major browsers. RapidSSL costs $79 per certificate and can generate a certificate for you that will be accepted by nearly all browsers on the planet. cacert will generate a certificate for free but users will need to import the cacert root certificate or they will get errors. We have a [ticket:1706 raging debate] about which approach is the best to take.
     17 
     18=== Generating a key and signing request for the first time ===
    1719
    1820To generate a private key and a certificate signing request, [wiki:secure_shell ssh] into your primary host and run:
     
    3335
    3436When the command has completed you should have two files: a private key file that you should ''not'' share with anyone (domain.key) and a certificate signing request (domain.csr) that is based on your key that can be shared with anyone and should be provided to a certificate authority if you would like to get a certificate for your private key..
     37
     38=== Generating a signing request for a renewal - I already have a key ===
     39
     40If your certificate is expiring, you can simply re-submit your existing signing request and get a new certificate for the next year. You do not need to generate a new signing request.
     41
     42If you lost your signing request, you can regenerate a new one based on your existing key:
     43
     44{{{
     45openssl req -out domain.csr -key path/to/your/private/key/domain.key -new -config /etc/ssl/openssl.cnf
     46}}}
    3547
    3648== Getting a certificate file ==