It seems that every so often I find myself setting up a domain with an SSL certificate. This happens exactly as often as I forget the steps from when I last did it. So to help myself next around (and other internet denizens) I’m going to write up the instructions.

1. Create a CSR

First, we need to create a Certificate Signing Request (CSR) which we then give to the certificate authority (the company that you pay to vouch that you are who you say you are).

You can do this online (if you trust whoever is doing it online…) or on your own machine with a shell command:

openssl req -nodes -newkey rsa:2048 -keyout private.key -out CSR.csr

or use a script that does pretty much the same thing.

2. Submit CSR to Certificate Authority

Next you need to give the CSR (but not the key) to your certificate authority. You should receive an email link or form where you can paste in your CSR.

3. Receive signed CRT

After submitting your CSR you will receive back a signed CRT certificate and possibly other intermediary CRT certificates. These usually come by email a few minutes to a few hours after you’ve submitted your CSR.

If you go with a more expensive certificate authority, it will likely be closer to a root certificate authority. The root ceriticate authorities are trusted by your browser, and they then go on and certify other authorities. If you are using a cheaper certificate authority, you may need some intermediary certificates that link up to the top-level root authority that your browser trusts. You’ll need to include this along with your CRT in your pem. You can combine all of these certificates into a .pem file that holds them all like so:

4. Create a .PEM

Here we will combine our certificate that we received back from the certificate authority, with our private key, and all intermediary certificates and concatenate them all into a single file.

cat evancarmi_com.crt evancarmi_com.key AddTrustExternalCARoot.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt | tee evancarmi_com.pem

Now, we can need to place this .pem file onto our server which will receive encrypted HTTPS traffic.

5. Upload .pem to frontend server

I use HAProxy to decrypt SSL traffic before passing it on to my frontend web server (nginx). I have instructions for how to setup SSL with HAProxy here.

If you are using nginx you’ll need a server block that listens to traffic on port 443 and includes the location of the .pem file. Here’s an example of how to do that.

That’s it!

blog comments powered by Disqus

Say Hello