Roel's public bookmarks
Certificates are used to secure connections for your website (or even other connections) by encrypting your network traphic. They where originally called SSL certificates, but the assiociated SSL (Secure Sockets Layer) protocols are not considers safe anymore. SSL is now replaced by TLS (Transport Layer Security) but the use of certificates containing public and/or private encription keys is largly the same. Note that the cryptography used to protect the certificates did advange too.
Certificates contain the 'encryption keys' to establish encrypted connections. For https, your webserver needs to have 'the private key' and the webbrowser needs to have 'the public key'. Your browser can get the website's public key from your webserver as part of your webserver certificate. A webserver certificate is basically your public key with some metadata 'signed' by a Certificate Authority.
In order for a webbrowser to accept your certificate (with your websites public key) as valid, you need to have your certificate 'signed'. This signing is done by generating a Certificate Signing Request (csr), upload that to a CA, do some 'paperwork' to prove you are the domain owner, then wait for the certificate to be ready.
In the early days, you needed to get a signed and trusted certificate from a Certificate Autority by sending them a certificate signing request (CSR) file and after some time (and the CA performing some checks and you pay them some money) you would get your signed certificate back.
Nowadays much of this proces can be automated, e.g. by using Let's Encrypt as a CA, but there are others. There are tools to help you do that. I use certbot to request and renew my certificates, and that proces is automated.
To provide some context, for this story I use a computer running archlinux and the code is executed from within a terminal window. I used the notes I made while refreshing my website certificates, a few years back.
The steps in this process are needed to manually create a key, create a signing request, have your certificates signed by a CA and then combine the key and cert into your website configuration.
Create a key to be used for a 2048 bit certificate into a file named 'example.com.key' (PEM encoded)
openssl genrsa -out example.com.key 2048
Or doing the same using newer syntax (genrsa is depreciated)
openssl genpkey -algorithm RSA -out example.com.key 2048
This example will not ask you for a passphrase. Remember without a passphrase, your PEM-file with the keypair is unprotected. However you need a PEM-file without a passphrase for the webserver to start automaticly. You can add a passphrase if you wish, just add '-aes256' before the final 2048 to the command to secure your PEM-file with a passphrase.
Create a certificate signing request into a file named 'example.com.csr'
openssl req -new -nodes -sha256 -key example.com.key -out example.com.csr
It will ask you for some more input, but only your country (e.g NL) and the 'Common Name' i.e the name of your server (e.g. www.example.com) are relevant. The other fields might be relevant, but are not used for e.g a domain validated certs like you get for free from (the now defunct) StartSSL.
Combine generating the key and the signing request is also possible, like this:
openssl req -sha256 -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr -subj '/C=NL/CN=www.example.com'
Send the signing request to the CA to sign your certificate (usually by copy/pasting the content of the csr file to a webpage and answering some questions). Your private key wil not be in the signing request, so it does not leave your computer.
Congrats, you have a Web server!
Transform your plain text into static websites and blogs
Visual selection of CCS colors names
create high resolution icons that lets your sites shine
Home of Nginx
Nginx as a Secure Web Server with HTTP, HTTPS and SSL Examples
Some info about creating and handling SSL certificates
Using systemd Timers to Renew Let’s Encrypt Certificates
Using SSL/TLS Certificates from Let’s Encrpt with Nginx
Strong SSL/TLS Cryptography in Apache and Nginx
SSL on nginx for performance and security (older)
Secure settings for SSL on nginx
The difference between DV and EV SSL certificates, and how both are basically fine
Debugging SSL certificates, for if you mess-up and need to find the right key-file for your cert-file
Some more info about requesting SSL certificates
Warum wir jetzt Forward Secrecy brauchen
CAcert.org is a community-driven Certificate Authority that issues certificates to the public at large for free.
Cryptography Tutorials - Herong's Tutorial Examples