Roel's public bookmarks
Certificates are used to secure connections for your website (or even other connections) by encrypting your network traphic. They where originally called SSL certificates, but the assiociated SSL (Secure Sockets Layer) protocols are not considers safe anymore. SSL is now replaced by TLS (Transport Layer Security) but the use of certificates containing public and/or private encription keys is largly the same. Note that the cryptography used to protect the certificates did advange too.
Certificates contain the 'encryption keys' to establish encrypted connections. For https, your webserver needs to have 'the private key' and the webbrowser needs to have 'the public key'. Your browser can get the website's public key from your webserver as part of your webserver certificate. A webserver certificate is basically your public key with some metadata 'signed' by a Certificate Authority.
In order for a webbrowser to accept your certificate (with your websites public key) as valid, you need to have your certificate 'signed'. This signing is done by generating a Certificate Signing Request (csr), upload that to a CA, do some 'paperwork' to prove you are the domain owner, then wait for the certificate to be ready.
To provide some context. I am using a computer running archlinux. The example code is executed from within a terminal window. I used the notes I made while refreshing my website certificates, a few years back. This code is needed to manually create and have signed your certificates. Now I use certbot to request and renew my certificates.
As an exercise, I try to make my website as secure as possible by getting a certificate conforming to the latest insights and allowing only secure ciphers and protocols.
Create a keypair to be used for a 2048 bit certificate into a file named 'example.com.key' (PEM encoded)
openssl genrsa -out example.com.key 2048
Or doing the same using newer syntax (genrsa is depreciated)
openssl genpkey -algorithm RSA -out example.com.key 2048
This example will not ask you for a passphrase. Remember without a passphrase, your PEM-file with the keypair is unprotected. However you need a PEM-file without a passphrase for the webserver to start automaticly. You can add a passphrase if you wish, just add '-aes256' before the final 2048 to the command to secure your PEM-file with a passphrase.
Create a certificate signing request into a file named 'example.com.csr'
openssl req -new -nodes -sha256 -key example.com.key -out example.com.csr
It will ask you for some more input, but only your country (e.g NL) and the 'Common Name' i.e the name of your server (e.g. www.example.com) are relevant. The other fields might be relevant, but are not used for e.g a domain validated certs like you get for free from StartSSL.
Combine generating the keypair and the signing request is also possible, like this:
openssl req -sha256 -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr -subj '/C=NL/CN=www.example.com'
Send the signing request to the CA to sign your certificate (usually by copy/pasting the content of the csr file to a webpage and answering some questions). Your private key wil not be in the signing request, so it does not leave your computer.
Congrats, you have a Web server!
Transform your plain text into static websites and blogs
Visual selection of CCS colors names
create high resolution icons that lets your sites shine
Home of Nginx
Nginx as a Secure Web Server with HTTP, HTTPS and SSL Examples
Some info about creating and handling SSL certificates
Using systemd Timers to Renew Let’s Encrypt Certificates
Using SSL/TLS Certificates from Let’s Encrpt with Nginx
Strong SSL/TLS Cryptography in Apache and Nginx
SSL on nginx for performance and security (older)
Secure settings for SSL on nginx
The difference between DV and EV SSL certificates, and how both are basically fine
Debugging SSL certificates, for if you mess-up and need to find the right key-file for your cert-file
Some more info about requesting SSL certificates
Warum wir jetzt Forward Secrecy brauchen
CAcert.org is a community-driven Certificate Authority that issues certificates to the public at large for free.
Cryptography Tutorials - Herong's Tutorial Examples