How do I get a Security Certificate for my Web site?

A security certificate is required if you want to offer a encrypted connection between your web visitors and your web site. An encrypted connection to a web site is typically indicated by a lock icon in your browser and most encrypted web sites have URLs that start with https instead of plain http.

The purpose of a security certificate is to provide proof to the world that your web site is indeed operated by you (and not an impostor). For more information about security certificates, please see our certificate faq.

Generating the key and signing request

Before you can get a security certificate attesting that you are who you say you are, you will need to two files:

• The private key is the file with the secret material that should only be accessible to the web server hosting your site
• The certificate signing request is the non-confidential file generated based on your private key that you submit to a certificate authority

Then, you will need to submit your certificate signing request to a certificate authority, such as ​StartSSL, ​RapidSSL or ​cacert. I've never tried StartSSL, but they will provide certificates for free that they claim work in all major browsers. RapidSSL costs $79 per certificate and can generate a certificate for you that will be accepted by nearly all browsers on the planet. cacert will generate a certificate for free but users will need to import the cacert root certificate or they will get errors. We have a raging debate about which approach is the best to take.

Generating a key and signing request for the first time

To generate a private key and a certificate signing request, ssh into your primary host and run:

openssl req -new -nodes -out domain.csr -keyout domain.key -config /etc/ssl/openssl.cnf

You will be prompted to answer a series of questions (with the defaults used by MFPL provided in brackets).

The most important question is:

Common Name (hostname, IP, or your name) []:

You must type the exact domain name that will be used for your site (e.g. members.mayfirst.org).

When the command has completed you should have two files: a private key file that you should not share with anyone (domain.key) and a certificate signing request (domain.csr) that is based on your key that can be shared with anyone and should be provided to a certificate authority if you would like to get a certificate for your private key..

Generating a signing request for a renewal - I already have a key

If your certificate is expiring, you can simply re-submit your existing signing request and get a new certificate for the next year. You do not need to generate a new signing request.

If you lost your signing request, you can regenerate a new one based on your existing key:

openssl req -out domain.csr -key path/to/your/private/key/domain.key -new -config /etc/ssl/openssl.cnf

Getting a certificate file

There are dozens of corporate certificate authorities that can take your certificate signing request and return a certificate that will only work with your private key. The cost is typically about $80 - $200. You only need to provide your contact information, your certificate signing request and a credit card to be charged. After a short verification period, they will return a certificate to you (also a text file).

Testing your certificate file

If you want to test to ensure that your certificatre is valid and works with your key file, you can run this command:

openssl s_server -cert domain.crt -key domain.key -www

You should get something like this:

0 jamie@chicken:~$ openssl s_server -cert domain.crt -key domain.key 
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
^C
130 jamie@chicken:~$

Hit ctl-c to cancel.

If you are prompted for a password, then it means you created your key file with a password, which will cause problems if try to use it for your web site.

Next steps

This file and your domain.key file can be used to setup your web site to use a security certificate.