Abishek B

Hi guys, whenever you browse on internet you probably would notice website urls starting with HTTP and HTTPS. Well you might know HTTP is Hypertext Transfer Protocol and HTTPS is Hypertext Transfer Protocol over Secured Socket Layer(SSL). The difference is the latter is more secured one. HTTPS is used in websites where sensitive information is handed over like username, password, credit card information, or any financial or personal data.

SO WHAT IS THIS SSL?

An SSL certificate encrypts the data that goes from a user’s computer to the target website and back. Every time a user enters information into your site, SSL makes sure it can securely travel from their browser to your web server.

There are two types of SSL certificates, Free SSL certificate and Paid SSL certificate. Both of them uses same level of encryption. Then why do you need paid SSL certificates when you can get free SSL? The difference is the paid one provide support, warranty and long validity. You can get a paid SSL certificate from Trustworthy Certificate Authority or any 3rd party called ‘Resellers’, whereas a free SSL certificate can be issued from any non profit certificate authorities like LetsEncrpyt or ZeroSSL.

DO I NEED SSL IN MY WEBSITE?

If your website handles user sensitive information, then you need SSL certificates to securely transfer information from client to server. Google and popular search engines doesn’t index the sites with HTTP and considers them as Non-Secure sites.

LET’S START CREATING A SSL CERTIFICATE

If you are having a small website or a blog, then free SSL certificate is well enough. But if your website deals with business or eCommerce, I will recommended you to use paid SSL certificates.

In this post, we will create a free SSL certificate using ZeroSSL and create a script which will automatically renew before it expires.

PREREQUISITES

This tutorial is created for Ubuntu, in case you are looking for any other OS please refer here.

sudo apt-get install make gcc libssl-dev liblocal-lib-perl cpanminus
sudo apt-get install libnet-ssleay-perl
sudo apt-get install libcrypt-ssleay-perl
sudo cpanm Test::More Crypt::LE

STEP 1 — GENERATE DOMAIN KEYS USING OPENSSL

ZeroSSL client can itself create domain and account keys, but it is recommended to generate them manually.

openssl genrsa -out account.key 4096
openssl genrsa -out mydomain.key 2048

STEP 2 — GENERATE SSL FOR YOUR DOMAIN

Once account and domain keys are generated, you are all set to create SSL certificate for your domain. Now lets assume you need to create SSL for domain.com, if you need to generate for any specific subdomain you can mention that or if you need for all subdomain then you can use wildcard (*.domain.com). I will use both domain and all subdomain (i.e using wildcards)

le.pl --key account.key --csr mydomain.csr --csr-key mydomain.key --crt mydomain.crt --domains "domain.com,*.domain.com" --generate-missing --handle-as dns --live

This command will do DNS verification and creates a live certificate for the mentioned domains. If you want to test, run the same command without –live.

You will be required to add TXT record in your DNS, to verify your ownership of the domains mentioned. It might take some time for the changes to propagate, wait for sometime. You can verify it by running the following command

nslookup -q=TXT _acme-challenge.domain.com

Once DNS verification is done, mydomain.key and mydomain.crt files will be created. All you have to do is to mention it in your webserver configuration.

You can specify the path where you want to generate the certificates by using –path argument

STEP 3 — SCRIPT FOR AUTO RENEWAL

The create certificate has a validity of 90 days, you need to again generate new certificate to continue using HTTPS otherwise browser will mark you website as non-secure.

ZeroSSL provide option to renew you certificate before specified days. We will try to renew the certificate 10 days before expiry.

le.pl --key account.key --csr mydomain.csr --csr-key mydomain.key --crt mydomain.crt --domains "domain.com,*.domain.com" --generate-missing --unlink --renew 10 --issue-code 100 --live

The above code will inform its too early to renewal if expiry date is more than 10 days. If expiry date is less than 10 days, this command will renew the certificate and key file and will output 100 as it is mentioned as issue-code

You can run this command in cron or any scheduler application for automatic renewal.

le.pl --key account.key --csr mydomain.csr --csr-key mydomain.key --crt mydomain.crt --domains "domain.com,*.domain.com" --generate-missing --unlink --renew 10 --issue-code 100 --live
if [ $? -eq 100 ]; then
echo "Renewal Success. Restart your web server to see changes"
fi

And thats it, you dont need to worry about renewing your certificates again. It will be renewed automatically by the script before 10 days of the expiry date.

As I told you earlier in this post, if you have a eCommerce site or any business website, then go for a paid SSL certificate as they provide you support and warranty if any unexpected issue happens. And they provide a longer validity of an year or two.

If you have any queries regarding this post or any suggestions, feel free to comment on this post.

Thank you.

Software Developer @ NeuroTags