I wrote a personal single page web application and decided to setup an SSL certificate and run it over https, not http. I setup the web server and iptables to listen to port 443. But when I accessed my application using https, I got a bright red screen warning me of security certificate issues for the web site.
(click for larger view)
I guess I don’t really need to get a certificate. All I have to do is click “proceed anyway” and everything would still work. My app would be running over the Internet encrypted. I didn’t like the user experience; I wanted to be able to use my app from any browser, securely. So I decided to research registering my URL for an SSL certificate.
I picked the reseller service called ClickSSL. They sell all kinds of SSL certificates ranging from $11.95/yr upto $274/yr; there’s a range of services and security levels. I picked their service called RapidSSL. It was the cheapest and promised easy setup. I learned that it’s building upon the GeoTrust branded SSL infrastructure.
SSL Certificate Setup Process
So I am not sure how much I want to restate right here, but the SSL setup process is complicated. I had no idea what I was doing, so I totally followed the setup HOWTOs found at the RapidSSL website.
The first step is running a tool on your server (I use Apache on Win7, tool name: genrsa). The tool is used to generate a Private Key. I named the output file my_domain_com.key. The key files (excerpt only) looks sort of like this:
-----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEAwUjy+PuNKKEcMyk0aRAzvRB4VRpJyHUhHGFxW4PVJwrTD7by DlFsk1jYB5L6KRzv8pVv82jDax1gvb6TDk0Hiv9uLAynAno+MmoinXwVTatpClgN ... -----END RSA PRIVATE KEY-----
The next step is to create a Certificate Signing Request (CSR); I used a tool called openssl. It used my key file from the previous step. The CSR is your public key. This is what is sent to GeoTrust; the Private Key is kept secure on your apache server. The CSR tool generated file, I named it my_domain_com.csr. The CSR file contains:
-----BEGIN CERTIFICATE REQUEST----- MIICrDCCAZQCAQAwZzELMAkGA1UEBhMCVVMxETAPBgNVBAgTCElsbGlub2lzMRMw EQYDVQQHEwpOYXBlcnZpbGxlMQ0wCwYDVQQKEwRzZWxmMSEwHwYDVQQDExhjaXNj ... -----END CERTIFICATE REQUEST-----
The next step in the process points you to the SSL Certificate application webpage; it prompts you for a bunch of server information, including your fully qualified domain name and a credit card number. It asks you to cut and paste your CSR (pubic key) into a web form. I submitted SSL application.
You get a web page asking for an email address for from which a verification / authorization request can be mailed. Note: this cannot be any email address, but it must be an administrator who sits on your FQDN. For me, I picked [email protected]. The SSL service sends an email with a link to a reply web page. It will send you this email once a day for several days until you reply. Once you reply, someone does some kind of manual check, and then a day or so later you get an email with your SSL certificate.
The SSL certificate looks like this:
Your RapidSSL certificate: -----BEGIN CERTIFICATE----- MIIFNjCCBB6gAwIBAgIDCSa+MA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew HhcNMTIxMTExMTEwMjI1WhcNMTMxMjE0MjA0OTAxWjCBxzEpMCcGA1UEBRMgdUlJ aG5RNkdjeG52RnA4WjFYcFlFMTdnTFdHWkZiZTkxEzARBgNVBAsTCkdUMDgyMDY2 ... -----END CERTIFICATE-----
This certificate is what you paid the money for. You need to save it in a file (I named mine my_domain_com.crt). The file needs to be installed into your Apache web server. Also, you will get a pointer to a Intermediate CA Bundle file. This file (eg my_domain_com.ca-bundle); this file needs to be saved into your Apache web server, too. I followed the RapidSSL Instructions titled: Install certificate in Apache
There were a few updates that were need, but for me, the most important point was to remember the changes to the httpd-ssl.conf file:
SSLCertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/my_domain_com.crt" SSLCertificateKeyFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/my_domain_com.key" SSLCertificateChainFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/my_domain_com.ca-bundle"