SSL Requirements
For you to build an SSL certificate you are going to need a few things first.
These are:
- RSA Private Key
- Certified Signing Request (or CSR)
There are different options and tools to choose from to create the Key and CSR. For this example though we will be using OpenSSL. OpenSSL is one of the most commonly used tools for cert generation.
Create the RSA Private Key
Before you create your key, you need to decide on the level encryption and the type of cipher you wish to use. OpenSSL has the option for both RSA and ECDHE-ECDSA based ciphers. RSA supports encryption keys of 1024, 2048, 4096-bit encryption. Just about all CA’s support RSA so we will use this cipher for our example, but make sure to check your CA’s documentation to be sure.
To create an RSA key in OpenSSL, you need to add the parameter genrsa. If you are using AWS, they recommend that you use an RSA Key with 2048 bit encryption.
Log into your server and on your console type:
openssl genrsa -out my-private-key.pem 2048
Note: You can read this line as: openssl create a 2048 bit RSA key named “my-private-key” and output this file to the current folder.
Create the CSR
To generate the Certified Signing Request (or CSR), you will need to use the “req” command.
Log into your server and on your console type:
openssl req -sha256 -new -key my-private-key.pem -out csr.pem
You will be prompted to enter in the following information:
| Country Name | The two-letter ISO code for your country. For example, US. |
| State or Province Name | The full name of the state or province where your organization is located. Do not use an abbreviation. |
| Locality Name | The name of the city where your organization is located. |
| Organization Name | The full legal name of your organization. |
| Organizational Unit Name | (Optional) Additional information, such as a product name or division. |
| Common Name | The fully-qualified domain name for your CNAME. This name must be an exact match. For example, www.mycompany.com, mycompany.com, or *.mycompany.com. |
| Email Address | The server administrator’s email address. |
Note: Now you need to make sure you store both of these files my-private-key.pem and csr.pem in a safe location.
Generating the SSL cert
There are two ways to generate SSL certs:
- Register your cert with a Certificate Authority
- Create a self-signed certificate (used for testing)
Using a Certificate Authority
For most search engines to recognize your SSL cert, you will need to register your cert with a provider.
Create an SSL Cert with NamesCheap is an example of how to take your CSR cert file and register it with a vendor to get your CA cert.
Click here to see additional third party Certificate Authorities.
Create a Self-signed Certificate
A self-signed certificate is an excellent way to test your systems and server settings, while waiting on your SSL cert to be ready.
To create a self-signed certificate log on to your server and on your console type:
openssl x509 -req -days 365 -in csr.pem -signkey my-private-key.pem -out my-certificate.pem
Note: This will create a my-certificate.pem file for you to use to test servers SSL configurations.
Additional Resources
- Check out OpenSSL.
- Check out these books:
We hope you found this information useful. To continue taking the “Domain Registration and Configuration” class click here.
[sgmb id=”1″]