(click for larger view)

I guess I don’t really need to get a certificate.  All I have to do is click “proceed anyway” and everything would still work. My app would be running over the Internet encrypted.  I didn’t like the user experience; I wanted to be able to use my app from any browser, securely.  So I decided to research registering my URL for an SSL certificate.

I picked the reseller service called ClickSSL. They sell all kinds of SSL certificates ranging from $11.95/yr upto $274/yr; there’s a range of services and security levels.  I picked their service called RapidSSL.  It was the cheapest and promised easy setup.  I learned that it’s building upon the GeoTrust branded SSL infrastructure.

SSL Certificate Setup Process

So I am not sure how much I want to restate right here, but the SSL setup process is complicated.  I had no idea what I was doing, so I totally followed the setup HOWTOs found at the RapidSSL website.

The first step is running a tool on your server (I use Apache on Win7, tool name: genrsa).  The tool is used to generate a Private Key. I named the output file my_domain_com.key. The key files (excerpt only) looks sort of like this:

-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAwUjy+PuNKKEcMyk0aRAzvRB4VRpJyHUhHGFxW4PVJwrTD7by
DlFsk1jYB5L6KRzv8pVv82jDax1gvb6TDk0Hiv9uLAynAno+MmoinXwVTatpClgN
...
-----END RSA PRIVATE KEY-----

The next step is to create a Certificate Signing Request (CSR); I used a tool called openssl.  It used my key file from the previous step.  The CSR is your public key.  This is what is sent to GeoTrust; the Private Key is kept secure on your apache server.  The CSR tool generated file, I named it my_domain_com.csr. The CSR file contains:

-----BEGIN CERTIFICATE REQUEST-----
MIICrDCCAZQCAQAwZzELMAkGA1UEBhMCVVMxETAPBgNVBAgTCElsbGlub2lzMRMw
EQYDVQQHEwpOYXBlcnZpbGxlMQ0wCwYDVQQKEwRzZWxmMSEwHwYDVQQDExhjaXNj
...
-----END CERTIFICATE REQUEST-----

The next step in the process points you to the  SSL Certificate application webpage; it prompts you for a bunch of server information, including your fully qualified domain name and a credit card number.  It asks you to cut and paste your CSR (pubic key) into a web form. I submitted SSL application.

You get a web page asking  for an email address for from which a verification / authorization request can be mailed.    Note: this cannot be any email address, but it must be an administrator who sits on your FQDN.  For me, I picked admin@domain.com.  The SSL service sends an email with a link to a reply web page.  It will send you this email once a day for several days until you reply.  Once you reply, someone does some kind of manual check, and then a day or so later you get an email with your SSL certificate.

The SSL certificate looks like this:

Your RapidSSL certificate:

-----BEGIN CERTIFICATE-----
MIIFNjCCBB6gAwIBAgIDCSa+MA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTIxMTExMTEwMjI1WhcNMTMxMjE0MjA0OTAxWjCBxzEpMCcGA1UEBRMgdUlJ
aG5RNkdjeG52RnA4WjFYcFlFMTdnTFdHWkZiZTkxEzARBgNVBAsTCkdUMDgyMDY2
...
-----END CERTIFICATE-----

This certificate is what you paid the money for.  You need to save it in a file (I named mine my_domain_com.crt).  The file needs to be installed into your Apache web server. Also, you will get a pointer to a Intermediate CA Bundle file.  This file (eg my_domain_com.ca-bundle); this file needs to be saved into your Apache web server, too.  I followed the RapidSSL Instructions titled: Install certificate in Apache

There were a few updates that were need, but for me, the most important point was to remember the changes to the httpd-ssl.conf file:

SSLCertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/my_domain_com.crt"
SSLCertificateKeyFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/my_domain_com.key"
SSLCertificateChainFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/my_domain_com.ca-bundle"

The post Personal website now runs over https. Cheap SSL certificate from ClickSSL. appeared first on JackKozik.com.