| Version 2 (modified by , 15 years ago) ( diff ) |
|---|
How do I get a Security Certificate for my Web site?
A security certificate is required if you want to offer a encrypted connection between your web visitors and your web site. An encrypted connection to a web site is typically indicated by a lock icon in your browser and most encrypted web sites have URLs that start with https instead of plain http.
The purpose of a security certificate is to provide proof to the world that your web site is indeed operated by you (and not an impostor). For more information about security certificates, please see our certificate faq.
Before you can get a security certificate attesting that you are who you say you are, you will need to generate two files:
- The private key is the file with the secret material that should only be accessible to the web server hosting your site
- The certificate signing request is the non-confidential file generated based on your private key that you submit to a certificate authority
Then, you will need to submit your certificate signing request to a certificate authority, such as RapidSSL or cacert. RapidSSL costs $79 per certificate and can generate a certificate for you that will be accepted by nearly all browsers on the planet. cacert will generate a certificate for free but users will need to import the cacert root certificate or they will get errors. We have a raging debate about which approach is the best to take.
To generate a private key and a certificate signing request, ssh into your primary host and run:
openssl req -new -nodes -out domain.csr -keyout domain.key -config /etc/ssl/openssl.cnf
You will be prompted to answer a series of questions (with the defaults used by MFPL provided in brackets).
The most important question is:
Common Name (hostname, IP, or your name) []:
You must type the exact domain name that will be used for your site (e.g. members.mayfirst.org).
When the command has completed you should have two files: domain.csr (which can be submitted to the certificate authority) an domain.key which you should keep private.
The certificate authority will respond with a certificate file. This file and your domain.key file can be used to setup your web site to use a security certificate.
