[[TranslatedPages]] [[PageOutline]] = How do I get a x509 (aka SSL) Certificate for my Web site? = A security certificate is required if you want to offer a encrypted connection between your web visitors and your web site. An encrypted connection to a web site is typically indicated by a lock icon in your browser and most encrypted web sites have URLs that start with https instead of plain http. The purpose of a security certificate is to provide proof to the world that your web site is indeed operated by you (and not an impostor). For more information about security certificates, please see our [wiki:what_is_an_ssl_certificate certificate faq]. At MF/PL this process is now quite simple. You can [wiki:faq/security/setup-certificate install and configure https all from the control panel]. The instructions below are for doing it by hand '''but are not necessary'''. == Generating the key and signing request == Before you can get a security certificate attesting that you are who you say you are, you will need to two files: * The private key is the file with the secret material that should only be accessible to the web server hosting your site * The certificate signing request is the non-confidential file generated based on your private key that you submit to a certificate authority Then, you will need to submit your certificate signing request to a certificate authority, such as [https://www.ssls.com SSLs.com] or [http://cacert.org cacert]. SSLs.com costs as little as $4.99 per certificate per year and can generate a certificate for you that will be accepted by nearly all browsers on the planet. cacert will generate a certificate for free but users will need to import the cacert root certificate or they will get errors. We have a [ticket:1706 raging debate] about which approach is the best to take. In these examples domain.csr and domain.key are the file names provided. These filenames are arbitrary and can be anything you want (for example, I would recommend replacing domain with your actual domain, e.g. mayfirst.org.key and mayfirst.org.csr, so it is easier to keep track of the domains for which they are being generated. === Generating a key and signing request for the first time or to replace a vulnerable key=== To generate a private key and a certificate signing request, [wiki:secure_shell ssh] into your primary host and run: {{{ openssl req -new -nodes -out domain.csr -keyout domain.key -config /etc/ssl/openssl.cnf }}} You will be prompted to answer a series of questions (with the defaults used by MFPL provided in brackets). The most important question is: {{{ Common Name (hostname, IP, or your name) []: }}} You must type the exact domain name that will be used for your site (e.g. members.mayfirst.org). When the command has completed you should have two files: a private key file that you should ''not'' share with anyone (domain.key) and a certificate signing request (domain.csr) that is based on your key that can be shared with anyone and should be provided to a certificate authority if you would like to get a certificate for your private key.. === Generating a signing request for a renewal - I already have a key === If your certificate is expiring, you can simply re-submit your existing signing request and get a new certificate for the next year. You do not need to generate a new signing request. If you lost your signing request, you can regenerate a new one based on your existing key: {{{ openssl req -out domain.csr -key path/to/your/private/key/domain.key -new -config /etc/ssl/openssl.cnf }}} == Examining your certificate signing request == If you want to get a human-readable view of what you just created (to check for typos), you can type: {{{ openssl req -in domain.csr -text -verify -noout }}} == After Receiving Your Certificate You Can Test It == If you want to read the content of the certificate: {{{ openssl x509 -in domain.crt -noout -text -purpose | less }}} If you want to test to ensure that your certificate is valid (after receiving it from a certificate authority) and works with your key file, you can run this command: {{{ openssl s_server -cert domain.crt -key domain.key -www }}} You should get something like this: {{{ 0 jamie@chicken:~$ openssl s_server -cert domain.crt -key domain.key Using default temp DH parameters Using default temp ECDH parameters ACCEPT ^C 130 jamie@chicken:~$ }}} Hit `ctrl-c` to cancel. If you are prompted for a password, then it means you created your key file with a password, which will cause problems if try to use it for your web site. == Next steps == This file and your domain.key file can be used to [wiki:faq/security/setup-certificate setup your web site to use a security certificate or replace an existing one].