So you have decided that you want to install a certificate on your Apache or Nginx server? Great idea! Let's start then.
First of all, let's wrap up the steps that you should perform to get a certificate working on your server: 1. Generate a CSR (certificate signing request) and private key code pair on the server. 2. Apply the generated CSR code to activate the purchased certificate on your SSL certificate provide side. 3. Validate the certificate on Certificate Authority or certificate provider side (depends on the certificate type and your CA/provider). 4. Install the certificate on the server.
There are also a few certificate types you should be aware of:
Also, we can divide SSL certificates on the next categories as well:
It sounds complicated, but actually it is not that difficult. Let's begin with the CSR. We recommend generating the certificate request on the server and not using any online tools for security reasons.
You need to connect to your VPS via SSH. Then go to your home directory with this command:
Next, run the following command to generate the CSR and the private key files:
openssl req -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr
Here yourdomain.csr stands for your CSR file and yourdomain.key stands for the private key file.
!!ATTENTION!! Do not delete the private key! It will be required to install the certificate on the server, without this file the certificate will not be able to work at all. We recommend saving it to any non-public directory on our server and backin it up on your local machine.
Once the command is executed, you will be asked a few questions. Here are the example answers:
Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:New York Locality Name (eg, city) :New York Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Own Company Organizational Unit Name (eg, section) : Common Name (e.g. server FQDN or YOUR name) :yourdomain.com Email Address :email@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
Let's take a detailed look at these. The address details you specify in the certificate request will not be used for the certificate (address for OV and EV certificates is asked separately). We also recommend leaving the extra fields (password, optional company name) empty as you may receive some issues during certificate activation process with some Certificate Authorities.
As for the common name of the certificate, you need to use the exact fully qualified domain name you want to secure with the certificate. Do not use your full name or the name of your organization, only domain name should be used.
So basically the certificate request is an unsigned certificate file, which contains an open key, and the private key has, surprisingly, the private key in it. They work in pair via asymmetric encryption algorythm.
In order to open the CSR you can use any text editor or cat command. We prefer using nano or cat:
Just select the whole code with
-----BEGIN CERTIFICATE REQUEST----- and
-----END CERTIFICATE REQUEST----- headers and send it to your CA/certificate provider to get the certificate activated.
Small tip: press CTRL+X to close nano editor.
This is the whole process of getting a CSR and a private key generated for your certificate activation. Once you have the certificate, feel free to follow the instructions to get the certificate installed on Apache or Nginx web servers.
Keep it secure!