When you want a secure website, a mail server, or any other service through SSL (which secures the connection between the client and the server), you must use an SSL certificate that is valid for your domain name.
To obtain a SSL certificat, there are 4 solutions :
- Generate a self-signed certificate. This is the simplest method, but that should not be used in production. Moreover, in some cases this solution will not work. For example : this solution will not work with remote connections (used for RemoteApp) on Windows 7 or with Citrix Receiver, ... who will consider these certificates as invalid because they do not come from a trusted CA (Certification Authority).
- Install a Windows Server or a Linux certification authority, and create your own certificate with your certification authority. This solution allows you to secure your servers in your intranet (local network), for free of charge. It can therefore be used in an internal network in an enterprise, for example. This solution not cause any problems if the certification authority certificate is added to the client computer certificate store.
If the client computers are connected to an Active Directory, it's possible to do this automatically using a GPO : Distribute the certificate of authority to the Active Directory clients via a GPO.
If not, do it manually : Import a certificate (a root CA) in Windows Certificate Trust
- Buy a certificate from a certification authority recognized by all operating systems (including : Windows, Linux, Mac, Android, iOS, Windows Phone, ...).
For trusted certificate authorities, you will find : GeoTrust, Symantec SSL (formerly VeriSign), Gandi SSL, ...
Certificates bought through these certificate authorities, will not cause any problems (no warning when accessing the website or the service secured by SSL). However, prices are not affordable for anyone.
- Obtain a certificate for free from a certification authority like StartSSL.
Advantages : no warning when accessing the website or the service secured by SSL and no money to spend.
This is the solution that we will use in this tutorial.
- Register on StartSSL
- Validation of your email address or your domain name
- Generate a certificate for a linux web server
- Login again in your StartSSL account
- Secure Apache with the SSL certificate
- Test the certificate and the https protocol
To start, go to "StartSSL", click the icon (with the key) at the top right and click "Sign-up".
If StartSSL doesn't display this page, try again tomorrow or in a few days. It depends on the number of registrations they have to process.
Otherwise, complete the form with the real information. If you provide false information, your registration will be denied.
Enter the code that you received on your e-mail address.
Once the code is validated, StartSSL invites you to install a certificate.
Particularity, on StartSSL, you login by using a SSL certificate and not by using a simple password. This certificate is the only key to access your StartSSL account. This certificate is installed in the certificate store of your web browser.
The certificate was installed.
As displayed, your client certificate (which thus serves as password) has been installed in your web browser.
To export the certificate installed in Mozilla Firefox, go to the menu (the icon representing 3 horizontal lines) -> Options -> Advanced -> Certificates -> View Certificates.
In the "Your Certificates" tab, you will find a "StartCom" certificate (which corresponds to the company managing StartSSL).
Select the certificate and click on "Save".
Note : For other web browsers, see the StartSSL documentation : How do I backup my client certificates ?
Specify a password to protect the certificate.
The client certificate is exported.
After backing up client certificates, click "Control Panel".
As shown in this picture, you first have to validate your e-mail address or your domain name. To do this, click on "Validation Wizard".
Select the type of validation to perform. In our case, we will validate our domain name.
Enter your domain name (don't indicate the sub-domain in this box).
The certification authority will consult the whois of your domain to show you a list of e-mail.
Note : These include e-mail addresses :
- of the owner (Registrant)
- of the administrative contact
- of the technical contact
Specify the verification code that you received on the e-mail address selected in the previous step.
Your domain name is validated.
In our case, we will generate a certificate that will be used for a Linux web server (Apache).
Specify a password to protect the private key of the certificate and changing the size of the key (if necessary).
Copy this text in a "ssl.key" file and click "Continue".
As displayed, you can decrypt the private key if you wish by using the command "openssl rsa -in ssl.key -out ssl.insecure.key". This command allows you to restart a server without retyping the password at every server restart (in our case : the Apache web server). By against, you shouldn't store the decrypted file on your hard drive.
- If you use KeePass, which is a secure password manager, you can copy the text in the comment of a new entry.
If necessary, read our tutorial : KeePass - Store your passwords securely
- If you use TrueCrypt, you can store the certificate and the private key in an encrypted file.
If necessary, read our tutorial : TrueCrypt - Encrypt your data securely to prevent theft of confidential data
Then, select the domain for which you want to get a valid SSL certificate.
Enter the sub-domain for which the certificate must be signed.
Note : As mentioned, this SSL Certificate will be valid for the specified subdomain AND for the domain alone.
Copy this text in a "ssl.crt" file.
Note : As mentioned, this certificate is in PEM format (linux).
Now, you have your SSL certificate and its associated private key.
Note : The certificate can't be used without its associated private key.