Provisioning SSL certificates on your Server

James Hamann
Sep 22, 2017 · 5 min read

If you handle sensitive information on your web app, like processing payments or entering passwords, then it’s important you protect your users by making sure your website is secure using SSL. It’s basically like sending a letter, but making sure you put it in an envelope and seal it up before firing it off. With search engines now favouring SSL sites over others, it’s a good way to boost your ranking and ensure you’re protected.

What is SSL?

SSL, or Secure Sockets Layer, is a protocol that ensures a secure connection between the client and server so that information can be sent and received securely. This works by encrypting the data using a key-pair, a private key only accessible on server and a public key accessible to everyone. The message is encrypted and sent to the sever, with the public key, if the public key matches the private key, the data is decrypted and processed by the server accordingly. You can tell if you’re SSL secure by the green padlock on your web browser, if it says something like “Secure Connection” you’re good. Also the URL prefix would be https://… as opposed to http://

Setup

Pretty much most service providers, like GoDaddy, NameCheap, RapidSSL etc… provide an easy process to buy a certificate. Once purchased, you’ll need to generate a CSR (certificate signing request), it doesn’t matter where this is done, it doesn’t need to be done on the same server that you wish to install the certificate on. There are two ways to do this, through the terminal using openssl or (if you’re on a Mac) through the KeyChain Access application.

Using the Terminal

$ openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr

This command will prompt you to go through a little creation wizard, as highlighted below.

openssl Wizard

You’ll be asked to enter a few details as well as choosing a password for the keypair. Once this is done, the .csr (certificate sigining request) and yourdomainname.key is generated in the directory that you ran the command. If you open up the .csr file in a text editor it should look something like this.

yourdomain.csr

When managing your SSL, you’ll be asked for the csr, copy and paste or upload (depending on service provider) the file. Once this is done, verification will be done to ensure you’re the domain owner as well. This is done through either shooting an email across or adding a TXT record with a key value to your DNS. Once verified you’re ready to go! Depending on where you’re installing your certificate there will be different file types.

File Types

.pem

This is the most common format and can have other suffix’s, including .pem, .crt, .key and .cer. You’ll know it’s in a .pem format if the file is readable in a text editor and starts with — — — BEGIN CERTIFICATE — — — . These types of certificates are used with Apache, Nginx and similar servers.

.der

This is a binary form of the .pem certificate. It can have the suffix .der and .cer and is typically used on the Java platform.

.p7b/PKCS#7

These types of certificates are also readable in a text editor, they start with — — — BEGIN PCKS — — — and end with — — — END PCKS7 — — — . They can contain certificates or chain certificates but can’t contain the private key, which will need to be in a separate file. These are supported on platforms like Windows and Tomcat.

.pfx/PCKS#12

This type of certificate file stores the certificate, any additional certificates and the private key in one binary, encryptable file. This is typically used on Windows platforms.

If you find yourself with the wrong format, for whatever reason, there is a way to convert them. For more information, head over here and follow the simple instructions.

Using Keychain Access

Do a quick spotlight search for Keychain Access and open up the application, it’ll look something like this. You’ll then want to head to the menu and navigate to the option Request a Certificate From a Certificate Authority…

Click “Request a Certificate From a Certificate Authority…” from the dropdown menu

This will bring up the following Certificate Assistant, where you’ll be asked to enter a few details. Ensure you choose the option Save to disk.

Ensure you choose Saved to disk

Once hitting Continue, you’ll be asked where you want to save your .csr file, after that your .csr will be generated. Your private key will be accessible in the keys section of the Keychain Access app. Depending on your service provider you can either upload the .csr file or open a text editor and paste the contents of the .csr file to start the process.

All done!

That’s it really, depending on your type of server and configuration installation of the certificate will vary, but it’s usually quite straightforward.

Free SSL Certificates

AWS, Heroku, Azure all provide free SSL certificates for certain services. For example on AWS if you deploy your content through a CloudFront distribution you can apply an SSL certificate to it, free of charge using the Certificate Manager in AWS. As well as that there’s another cool service called Let’s Encrypt.

Lets Encrypt

This service offers a free, automated and open certificate authority. It works by running a certificate management agent on your web server. They automatically renew the certificate before it expires, which is handy and stops you having to monitor the process. Another awesome reason to use this service is that they’re supporting wildcard certificates from January next year. Head over to their getting started guide, if you’re interested.

Thanks for reading, hit 💚 if you like what you read and be sure to follow to keep up to date with future posts.

James Hamann

Written by

Software Developer https://jameshamann.com

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade