I spin up a lot of sites and after the work is all done the PM comes to me at launch and informs me he never got the required certificate he was supposed to. \u00c2\u00a0Then he asks me to create it for him. \u00c2\u00a0This happens so much I feel like it’s time to write a blog post to explain to him how to do it on his mac sitting right in front of him. \u00c2\u00a0Feel free to send this link to your users that are constantly asking you to do these tasks as well<\/p>\n
First you need to understand the basic overview of how HTTPS (SSL\/TLS) works. \u00c2\u00a0 \u00c2\u00a0To create a SSL certificate you need to create three things. \u00c2\u00a0First the private key, this private key is used by the webserver to decrypt traffic that comes in. \u00c2\u00a0You will need to use this private key to generate a certificate signing requests. \u00c2\u00a0This requests takes a finger print of your key and prepares a formal request that goes to the CA (The person who issues you the actual certificate) of your choosing. \u00c2\u00a0This request is called the CSR or certificate signing request. \u00c2\u00a0The CA or certificate authority is then supposed to verify you are who you say you are then they sign your CSR and return it to you. \u00c2\u00a0This returned file is the certificate.<\/p>\n
Note the following commands assume you have the openssl tools installed on your computer. \u00c2\u00a0If you are using a mac or linux computer these are usually installed by default.<\/p>\n
openssl req -new\u00c2\u00a0 -newkey rsa:2048 -nodes -keyout yourdomain.com.key<\/p>\n
So this is going to create a create a new RSA key that is 2048 bits long and has now passphrase (nodes). \u00c2\u00a0If you require a passphrase on your cert ommit the -nodes. \u00c2\u00a0Not that if your key has a passphrase you will need to be there to enter the password into your webserver each time it recycles. When you run this command it’s going to ask you several questions such as Country, State, City, Organization Name, Organization Unit Name, Common Name etc. \u00c2\u00a0The country name should just be the two letter abbreviation, everything else should be fullname (Do not abbreviate). \u00c2\u00a0The common name is the most important part of this step. \u00c2\u00a0This needs to be the exact domain name you want for the certificate. \u00c2\u00a0So if your site is www.yourdomain.com your common name should be\u00c2\u00a0www.yourdomain.com<\/strong> Then the CSR is created later that is the domain they are going to verify against. \u00c2\u00a0Most CA’s are nice enough to make your certificate work with www and with just the base name. \u00c2\u00a0Be sure to ask them to do that as it is very helpful.<\/p>\n Last you should be very careful with this key file. \u00c2\u00a0It is your secret key that is used to decrypt data encrypted with your cert. \u00c2\u00a0If someone else gets this then your SSL is useless and they can see all of your encrypted connections. \u00c2\u00a0The only person you should ever share this private key with is your hosting company. \u00c2\u00a0They will need the Key and the final cert to install into the webserver that will host your site.<\/p>\n This command takes the previously created key and prepares the CSR we discussed earlier. \u00c2\u00a0The yourdomain.csr<\/strong> will be the file you send to the CA to verify<\/p>\n If you will not be using an official certificate authority to sign your certificate then you can just do the famous self signed. \u00c2\u00a0If you have a self signed certificate then you will get a warning when visiting the site that the certificate could not be validated. \u00c2\u00a0What does that mean? \u00c2\u00a0It ‘s simple browsers have a list of Certificate Authorities they trust, you are not one of them for by default they can’t say your trusted. \u00c2\u00a0Fear not though, your data is still encrypted, it’s just saying you did this certificate your self and no verified you are who you say you are.<\/p>\n I spin up a lot of sites and after the work is all done the PM comes to me at launch and informs me he never got the required certificate he was supposed to. \u00c2\u00a0Then he asks me to create it for him. \u00c2\u00a0This happens so much I feel like it’s time to write a […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[36],"tags":[167,166],"class_list":["post-6544","post","type-post","status-publish","format-standard","hentry","category-security","tag-openssl","tag-ssl"],"_links":{"self":[{"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/posts\/6544","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/comments?post=6544"}],"version-history":[{"count":2,"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/posts\/6544\/revisions"}],"predecessor-version":[{"id":6546,"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/posts\/6544\/revisions\/6546"}],"wp:attachment":[{"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/media?parent=6544"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/categories?post=6544"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/tags?post=6544"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Step 2) Create a CSR from your key<\/h2>\n
openssl req -out yourdomain.com.csr<\/span> -key yourdomain.com.key<\/span> -new<\/pre>\nCreate a self signed certificate<\/h2>\n
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout yourdomain.com.key<\/span> -out yourdomain.com.crt\r\n\r\n<\/span><\/pre>\n","protected":false},"excerpt":{"rendered":"