How To Install An SSL Certificate From A Commercial Certificate Authority - DigitalOcean

10/1/2015 HowToInstallanSSLCertificatefromaCommercialCertificateAuthority|DigitalOcean
Community Menu
By:MitchellAnicas 102 85
HowToInstallanSSLCertificatefromaCommercial
CertificateAuthority
Nov25,2014 Security,Apache,Nginx
Introduction
ThistutorialwillshowyouhowtoacquireandinstallanSSLcertificatefromatrusted,
commercialCertificateAuthority(CA).SSLcertificatesallowwebserverstoencrypttheir
traffic,andalsoofferamechanismtovalidateserveridentitiestotheirvisitors.Themain

benefitofusingapurchasedSSLcertificatefromatrustedCA,overself-signed
certificates,isthatyoursite'svisitorswillnotbepresentedwithascarywarningaboutnot
hingsinfrastructurefor
beingabletoverifyyoursite'sidentity.
SignUp
ThistutorialcovershowtoacquireanSSLcertificatefromthefollowingtrustedcertificate
authorities:
GoDaddy
https://www.digitalocean.com/community/tutorials/howtoinstallansslcertificatefromacommercialcertificateauthority 1/27
RapidSSL(viaNamecheap)
YoumayalsouseanyotherCAofyourchoice.
AfteryouhaveacquiredyourSSLcertificate,wewillshowyouhowtoinstallitonNginx
andApacheHTTPwebservers.
Prerequisites
ThereareseveralprerequisitesthatyoushouldensurebeforeattemptingtoobtainanSSL
certificatefromacommercialCA.Thissectionwillcoverwhatyouwillneedinordertobe
issuedanSSLcertificatefrommostCAs.
Money
SSLcertificatesthatareissuedfromcommercialCAshavetobepurchased.Free
alternativesincludeself-signedorStartSSLcertificates.However,self-signedcertificates
arenottrustedbyanysoftware,andfreeStartSSLcertificatescannotbeusedfor
commercialpurposes.
RegisteredDomainName
BeforeacquiringanSSLcertificate,youmustownorcontroltheregistereddomainname
thatyouwishtousethecertificatewith.Ifyoudonotalreadyhavearegistereddomain
name,youmayregisteronewithoneofthemanydomainnameregistrarsoutthere(e.g.
Namecheap,GoDaddy,etc.).
DomainValidationRights
Forthebasicdomainvalidationprocess,youmusthaveaccesstooneoftheemail
addressesonyourdomain'sWHOISrecordortoan"admintype"emailaddressatthe
domainitself.CertificateauthoritiesthatissueSSLcertificateswilltypicallyvalidatedomain
controlbysendingavalidationemailtooneoftheaddressesonthedomain'sWHOIS
record,ortoagenericadminemailaddressatthedomainitself.SomeCAsprovide
alternativedomainvalidationmethods,suchasDNS-orHTTP-basedvalidation,whichare
outsidethescopeofthisguide.
IfyouwishtobeissuedanOrganizationValidation(OV)orExtendedValidation(EV)SSL
certificate,youwillalsoberequiredtoprovidetheCAwithpaperworktoestablishthe
legalidentityofthewebsite'sowner,amongotherthings.
WebServer
Inadditiontothepreviouslymentionedpoints,youwillneedawebservertoinstallthe
SSLcertificateon.Thisistheserverthatisreachableatthedomainnameforwhichthe
SSLcertificatewillbeissuedfor.Typically,thiswillbeanApacheHTTP,Nginx,HAProxy,
orVarnishserver.Ifyouneedhelpsettingupawebserverthatisaccessibleviayour
registereddomainname,followthesesteps:
1. Setupawebserverofyourchoice.Forexample,aLEMP(Nginx)orLAMP(Apache)
server--besuretoconfigurethewebserversoftwaretousethenameofyour
registereddomain
2. Configureyourdomaintousetheappropriatenameservers.Ifyourwebserveris
hostedonDigitalOcean,thisguidecanhelpyougetsetup:HowToPointto
DigitalOcean'sNameserversfromCommonDomainRegistrars
3. AddDNSrecordsforyourwebservertoyournameservers.Ifyouareusing
DigitalOcean'snameservers,followthisguidetolearnhowtoaddtheappropriate
records:HowToSetUpaHostNamewithDigitalOcean
ChooseYourCertificateAuthority
IfyouarenotsureofwhichCertificateAuthorityyouaregoingtouse,thereareafew
importantfactorstoconsider.Atanoverviewlevel,themostimportantthingisthattheCA
youchooseprovidesthefeaturesyouwantatapricethatyouarecomfortablewith.This
sectionwillfocusmoreonthefeaturesthatmostSSLcertificatebuyersshouldbeaware
of,ratherthanprices.
RootCertificateProgramMemberships
ThemostcrucialpointisthattheCAthatyouchooseisamemberoftherootcertificate
programsofthemostcommonlyusedoperatingsystemsandwebbrowsers,i.e.itisa
"trusted"CA,anditsrootcertificateistrustedbycommonbrowsersandothersoftware.If
yourwebsite'sSSLcertificateissignedbyatrusted"CA,itsidentityisconsideredtobe
validbysoftwarethattruststheCA--thisisincontrasttoself-signedSSLcertificates,which
alsoprovideencryptioncapabilitiesbutareaccompaniedbyidentityvalidationwarnings
thatareoff-puttingtomostwebsitevisitors.
MostcommercialCAsthatyouwillencounterwillbemembersofthecommonrootCA
programs,andwillsaytheyarecompatiblewith99%ofbrowsers,butitdoesnothurtto
checkbeforemakingyourcertificatepurchase.Forexample,Appleprovidesitslistof
trustedSSLrootcertificatesforiOS8here.
CertificateTypes
EnsurethatyouchooseaCAthatoffersthecertificatetypethatyourequire.ManyCAs
offervariationsofthesecertificatetypesunderavarietyof,oftenconfusing,namesand
pricingstructures.Hereisashortdescriptionofeachtype:
SingleDomain:Usedforasingledomain,e.g. example.com .Notethatadditional

subdomains,suchas www.example.com ,arenotincluded
Wildcard:Usedforadomainandanyofitssubdomains.Forexample,awildcard
certificatefor *.example.com canalsobeusedfor www.example.com and

store.example.com
MultipleDomain:KnownasaSANorUCcertificate,thesecanbeusedwithmultiple
domainsandsubdomainsthatareaddedtotheSubjectAlternativeNamefield.For
example,asinglemulti-domaincertificatecouldbeusedwith example.com ,
www.example.com ,and example.net
Inadditiontotheaforementionedcertificatetypes,therearedifferentlevelsofvalidations
thatCAsoffer.Wewillcoverthemhere:
DomainValidation(DV):DVcertificatesareissuedaftertheCAvalidatesthatthe
requestorownsorcontrolsthedomaininquestion
OrganizationValidation(OV):OVcertificatescanbeissuedonlyaftertheissuing
CAvalidatesthelegalidentityoftherequestor
ExtendedValidation(EV):EVcertificatescanbeissuedonlyaftertheissuingCA
validatesthelegalidentity,amongotherthings,oftherequestor,accordingtoastrict
setofguidelines.Thepurposeofthistypeofcertificateistoprovideadditional
assuranceofthelegitimacyofyourorganization'sidentitytoyoursite'svisitors.EV
certificatescanbesingleormultipledomain,butnotwildcard
ThisguidewillshowyouhowtoobtainasingledomainorwildcardSSLcertificatefrom
GoDaddyandRapidSSL,butobtainingtheothertypesofcertificatesisverysimilar.
AdditionalFeatures
ManyCAsofferalargevarietyof"bonus"featurestodifferentiatethemselvesfromtherest
oftheSSLcertificate-issuingvendors.Someofthesefeaturescanendupsavingyou
money,soitisimportantthatyouweighyourneedsagainsttheofferingscarefullybefore
makingapurchase.Exampleoffeaturestolookoutforincludefreecertificatereissuesor
asingledomain-pricedcertificatethatworksfor www. andthedomainbasename,e.g.

www.example.com withaSANof example.com
GenerateaCSRandPrivateKey
Afteryouhaveallofyourprerequisitessortedout,andyouknowthetypeofcertificate
youwanttoget,it'stimetogenerateacertificatesigningrequest(CSR)andprivatekey.
IfyouareplanningonusingApacheHTTPorNginxasyourwebserver,use openssl to
generateyourprivatekeyandCSRonyourwebserver.Inthistutorial,wewilljustkeepall
oftherelevantfilesinourhomedirectorybutfeelfreetostoretheminanysecurelocation
onyourserver:
cd~
Togenerateaprivatekey,called example.com.key ,andaCSR,called example.com.csr ,

runthiscommand(replacethe example.com withthenameofyourdomain):
opensslreqnewkeyrsa:2048nodeskeyoutexample.com.keyoutexample.com.csr
Atthispoint,youwillbepromptedforseverallinesofinformationthatwillbeincludedin
yourcertificaterequest.ThemostimportantpartistheCommonNamefieldwhichshould
matchthenamethatyouwanttouseyourcertificatewith--forexample, example.com ,
www.example.com ,or(forawildcardcertificaterequest) *.example.com .Ifyouare
planningongettinganOVorEVcertificate,ensurethatalloftheotherfieldsaccurately
reflectyourorganizationorbusinessdetails.
Forexample:
CountryName(2lettercode)[AU]:US
StateorProvinceName(fullname)[SomeState]:NewYork
LocalityName(eg,city)[]:NewYork
OrganizationName(eg,company)[InternetWidgitsPtyLtd]:MyCompany
OrganizationalUnitName(eg,section)[]:
CommonName(e.g.serverFQDNorYOURname)[]:example.com
EmailAddress[]:sammy@example.com
Thiswillgeneratea .key and .csr file.The .key fileisyourprivatekey,andshouldbe

keptsecure.The .csr fileiswhatyouwillsendtotheCAtorequestyourSSLcertificate.
YouwillneedtocopyandpasteyourCSRwhensubmittingyourcertificaterequesttoyour
CA.ToprintthecontentsofyourCSR,usethiscommand(replacethefilenamewithyour
own):
catexample.com.csr
NowwearereadytobuyacertificatefromaCA.Wewillshowtwoexamples,GoDaddy
andRapidSSLviaNamecheap,butfeelfreetogetacertificatefromanyothervendor.
ExampleCA1:RapidSSLviaNamecheap
NamecheapprovidesawaytobuySSLcertificatesfromavarietyofCAs.Wewillwalk
throughtheprocessofacquiringasingledomaincertificatefromRapidSSL,butyoucan
deviateifyouwantadifferenttypeofcertificate.
Note:IfyourequestasingledomaincertificatefromRapidSSLforthe www subdomainof

yourdomain(e.g. www.example.com ),theywillissuethecertificatewithaSANofyour
basedomain.Forexample,ifyourcertificaterequestisfor www.example.com ,the
resultingcertificatewillworkforboth www.example.com and example.com .
SelectandPurchaseCertificate
GotoNamecheap'sSSLcertificatepage:https://www.namecheap.com/security/ssl-
certificates.aspx.
Hereyoucanstartselectingyourvalidationlevel,certificatetype("DomainsSecured"),or
CA("Brand").
Forourexample,wewillclickontheCompareProductsbuttoninthe"DomainValidation"
box.Thenwewillfind"RapidSSL",andclicktheAddtoCartbutton.
Atthispoint,youmustregisterorlogintoNamecheap.Thenfinishthepaymentprocess.
RequestCertificate
Afterpayingforthecertificateofyourchoice,gototheManageSSLCertificateslink,
underthe"HiUsername"section.
Here,youwillseealistofalloftheSSLcertificatesthatyouhavepurchasedthrough
Namecheap.ClickontheActivateNowlinkforthecertificatethatyouwanttouse.
Nowselectthesoftwareofyourwebserver.Thiswilldeterminetheformatofthe
certificatethatNamecheapwilldelivertoyou.Commonlyselectedoptionsare"Apache+
MODSSL","nginx",or"Tomcat".
PasteyourCSRintotheboxthenclicktheNextbutton.
Youshouldnowbeatthe"SelectApprover"stepintheprocess,whichwillsenda
validationrequestemailtoanaddressinyourdomain'sWHOISrecordortoan
administratortypeaddressofthedomainthatyouaregettingacertificatefor.Selectthe
addressthatyouwanttosendthevalidationemailto.
Providethe"AdministrativeContactInformation".ClicktheSubmitorderbutton.
ValidateDomain
Atthispoint,anemailwillbesenttothe"approver"address.Opentheemailandapprove
thecertificaterequest.
DownloadCertificates
Afterapprovingthecertificate,thecertificatewillbeemailedtotheTechnicalContact.The
certificateissuedforyourdomainandtheCA'sintermediatecertificatewillbeatthe
bottomoftheemail.
Copyandsavethemtoyourserverinthesamelocationthatyougeneratedyourprivate
keyandCSR.Namethecertificatewiththedomainnameanda .crt extension,e.g.

example.com.crt ,andnametheintermediatecertificate intermediate.crt .
Thecertificateisnowreadytobeinstalledonyourwebserver.
ExampleCA2:GoDaddy
GoDaddyisapopularCA,andhasallofthebasiccertificatetypes.Wewillwalkthrough
theprocessofacquiringasingledomaincertificate,butyoucandeviateifyouwanta
differenttypeofcertificate.
SelectandPurchaseCertificate
GotoGoDaddy'sSSLcertificatepage:https://www.godaddy.com/ssl/ssl-certificates.aspx.
ScrolldownandclickontheGetStartedbutton.
SelectthetypeofSSLcertificatethatyouwantfromthedropdownmenu:singledomain,
multidomain(UCC),orwildcard.
Thenselectyourplantype:domain,organization,orextendedvalidation.
Thenselecttheterm(durationofvalidity).
ThenclicktheAddtoCartbutton.
Reviewyourcurrentorder,thenclicktheProceedtoCheckoutbutton.
Completetheregistrationandpaymentprocess.
RequestCertificate
Afteryoucompleteyourorder,clicktheSSLCertificates*button(orclickonMyAccount>
ManageSSLCertificatesinthetop-rightcorner).
FindtheSSLcertificatethatyoujustpurchasedandclicktheSetUpbutton.Ifyouhave
notusedGoDaddyforSSLcertificatesbefore,youwillbepromptedtosetupthe"SSL
Certificates"product,andassociateyourrecentcertificateorderwiththeproduct(Click
thegreenSetUpbuttonandwaitafewminutesbeforerefreshingyourbrowser).
Afterthe"SSLCertificates"ProductisaddedtoyourGoDaddyaccount,youshouldsee
your"NewCertificate"anda"Launch"button.ClickontheLaunchbuttonnexttoyournew
certificate.
ProvideyourCSRbypastingitintothebox.TheSHA-2algorithmwillbeusedbydefault.
TicktheIagreecheckbox,andclicktheRequestCertificatebutton.
ValidateDomain
Nowyouwillhavetoverifythatyouhavecontrolofthedomain,andprovideGoDaddy
withafewdocuments.GoDaddywillsendadomainownershipverificationemailtothe
addressthatisonyourdomain'sWHOISrecord.Followthedirectionsintheemailsthat
youaresenttoyou,andauthorizetheissuanceofthecertificate.
DownloadCertificate
AfterverifyingtoGoDaddythatyoucontrolthedomain,checkyouremail(theonethatyou
registeredwithGoDaddywith)foramessagethatsaysthatyourSSLcertificatehasbeen
issued.Openit,andfollowthedownloadcertificatelink(orclicktheLaunchbuttonnextto
yourSSLcertificateintheGoDaddycontrolpanel).
NowclicktheDownloadbutton.
SelecttheserversoftwarethatyouareusingfromtheServertypedropdownmenu--ifyou
areusingApacheHTTPorNginx,select"Apache"--thenclicktheDownloadZipFile
button.
ExtracttheZIParchive.Itshouldcontaintwo .crt files;yourSSLcertificate(whichshould

havearandomname)andtheGoDaddyintermediatecertificatebundle( gd_bundleg2
1.crt ).Copybothtwoyourwebserver.Renamethecertificatetothedomainnamewitha
.crt extension,e.g. example.com.crt ,andrenametheintermediatecertificatebundle
as intermediate.crt .
Thecertificateisnowreadytobeinstalledonyourwebserver.
InstallCertificateOnWebServer
AfteracquiringyourcertificatefromtheCAofyourchoice,youmustinstallitonyourweb
server.ThisinvolvesaddingafewSSL-relatedlinestoyourwebserversoftware
configuration.
WewillcoverbasicNginxandApacheHTTPconfigurationsonUbuntu14.04inthis
section.
Wewillassumethefollowingthings:
Theprivatekey,SSLcertificate,and,ifapplicable,theCA'sintermediatecertificates
arelocatedinahomedirectoryat /home/sammy
Theprivatekeyiscalled example.com.key
TheSSLcertificateiscalled example.com.crt
TheCAintermediatecertificate(s)areinafilecalled intermediate.crt
Ifyouhaveafirewallenabled,besurethatitallowsport443(HTTPS)
Note:Inarealenvironment,thesefilesshouldbestoredsomewherethatonlytheuser
thatrunsthewebservermasterprocess(usually root )canaccess.Theprivatekey

shouldbekeptsecure.
Nginx
IfyouwanttouseyourcertificatewithNginxonUbuntu14.04,followthissection.
WithNginx,ifyourCAincludedanintermediatecertificate,youmustcreateasingle
"chained"certificatefilethatcontainsyourcertificateandtheCA'sintermediate
certificates.
Changetothedirectorythatcontainsyourprivatekey,certificate,andtheCAintermediate
certificates(inthe intermediate.crt file).Wewillassumethattheyareinyourhome

directoryfortheexample:
cd~
Assumingyourcertificatefileiscalled example.com.crt ,usethiscommandtocreatea

combinedfilecalled example.com.chained.crt (replacethehighlightedpartwithyour
owndomain):
catexample.com.crtintermediate.crt>example.com.chained.crt
NowgotoyourNginxserverblockconfigurationdirectory.Assumingthatislocatedat
/etc/nginx/sitesenabled ,usethiscommandtochangetoit:
cd/etc/nginx/sitesenabled
AssumingwanttoaddSSLtoyour default serverblockfile,openthefileforediting:
sudovidefault
Findandmodifythe listen directive,andmodifyitsoitlookslikethis:
listen443ssl;
Thenfindthe server_name directive,andmakesurethatitsvaluematchesthecommon

nameofyourcertificate.Also,addthe ssl_certificate and ssl_certificate_key
directivestospecifythepathsofyourcertificateandprivatekeyfiles(replacethe
highlightedpartwiththeactualpathofyourfiles):
server_nameexample.com;
ssl_certificate/home/sammy/example.com.chained.crt;
ssl_certificate_key/home/sammy/example.com.key;
ToallowonlythemostsecureSSLprotocolsandciphers,addthefollowinglinestothe
file:
ssl_protocolsTLSv1TLSv1.1TLSv1.2;
ssl_prefer_server_cipherson;
ssl_ciphersAES256+EECDH:AES256+EDH:!aNULL;
IfyouwantHTTPtraffictoredirecttoHTTPS,youcanaddthisadditionalserverblockat
thetopofthefile(replacethehighlightedpartswithyourowninformation):
server{
listen80;
server_nameexample.com;
rewrite^/(.*)https://example.com/$1permanent;
}
Thensaveandquit.
NowrestartNginxtoloadthenewconfigurationandenableTLS/SSLoverHTTPS!
sudoservicenginxrestart
TestitoutbyaccessingyoursiteviaHTTPS,e.g. https://example.com .
Apache
IfwanttouseyourcertificatewithApacheonUbuntu14.04,followthissection.
Makeabackupofyourconfigurationfilebycopyingit.Assumingyourserverisrunningon
thedefaultvirtualhostconfigurationfile, /etc/apache2/sitesavailable/000
default.conf ,usethesecommandstotomakeacopy:
cd/etc/apache2/sitesavailable
cp000default.conf000default.conf.orig
Thenopenthefileforediting:
sudovi000default.conf
Findthe <VirtualHost*:80> entryandmodifyitsoyourwebserverwilllistenonport

443 :
<VirtualHost*:443>
Thenaddthe ServerName directive,ifitdoesn'talreadyexist(substituteyourdomain

namehere):
ServerNameexample.com
Thenaddthefollowinglinestospecifyyourcertificateandkeypaths(substituteyour
actualpathshere):
SSLEngineon
SSLCertificateFile/home/sammy/example.com.crt
SSLCertificateKeyFile/home/sammy/example.com.key
IfyouareusingApache2.4.8orgreater,specifytheCAintermediatebundlebyadding
thisline(substitutethepath):
SSLCACertificateFile/home/sammy/intermediate.crt
IfyouareusinganolderversionofApache,specifytheCAintermediatebundlewiththis
line(substitutethepath):
SSLCertificateChainFile/home/sammy/intermediate.crt
Atthispoint,yourserverisconfiguredtolistenonHTTPSonly(port443),sorequeststo
HTTP(port80)willnotbeserved.ToredirectHTTPrequeststoHTTPS,addthefollowing
tothetopofthefile(substitutethenameinbothplaces):
<VirtualHost*:80>
ServerNameexample.com
Redirectpermanent/https://example.com/
</VirtualHost>
Saveandexit.
EnabletheApacheSSLmodulebyrunningthiscommand:
sudoa2enmodssl
NowrestartApachetoloadthenewconfigurationandenableTLS/SSLoverHTTPS!
sudoserviceapache2restart
TestitoutbyaccessingyoursiteviaHTTPS,e.g. https://example.com .Youwillalso

wanttotryconnectingviaHTTP,e.g. http://example.com toensurethattheredirectis
workingproperly!
Conclusion
NowyoushouldhaveagoodideaofhowtoaddatrustedSSLcertificatetosecureyour
webserver.BesuretoshoparoundforaCAthatyouarehappywith!
Heart 102 Share Subscribe
Author:
MitchellAnicas
SpinupanSSDcloudserverinunderaminute.
Simplesetup.Fullrootaccess.
Straightforwardpricing.
DEPLOYSERVER
RelatedTutorials
HowToConfigureOCSPStaplingonApacheandNginx
HowtoAddNgx_pagespeedtoNginxonCentOS7
HowToSetUpMulti-FactorAuthenticationforSSHonUbuntu14.04
HowToSecureYourRedisInstallationonUbuntu14.04
HowToAddNgx_pagespeedtoNginxonUbuntu14.04
85Comments
Leaveacomment...
LogIntoComment
calewis November27,2014
IamnowunabletoaccessthedomainwithoutHTTPS,isthereawaytofixthis?
Greatguidebtw.
Thanks
xerhik November27,2014
WhatWebServerareyouusing?
calewis November28,2014
nginx,Isolveditbyaddinganadditionalserverdirective.
server{
listen80;
location/{
rewrite^(.*)https://mysite.com$1permanent;
}
Here'sthelinktothestackpage:http://serverfault.com/questions/67316/in-nginx-how-can-i-
rewrite-all-http-requests-to-https-while-maintaining-sub-dom
I'drecommendaddingthistotheguideasitit'saPITAifitonlyacceptshttpsanddoesnot
forceare-direct.
manicas December1,2014
That'salreadyintheguide,bytheway.
zeokat November28,2014
Inmyopinionthetutorialshouldoncludecompatbilitywithanon-sslversionoftheweb.
cliffkujala December11,2014
WhenIrunthefollowingsetup
root@example:/etc/ssl/nginx#catwww.example.com.crtintermediate.crt>www.example.co
Ireceivethefollowingresponse
bash:syntaxerrornearunexpectedtoken`newline'
Anyideas?I'mtryingtochainaGoDaddyEVSSL,whichIdownloadedasApacheservertype.
cliffkujala December11,2014
Removedthe <^> fromthecommand,anditappearstohaveworkedcorrectlynow.
asb December11,2014
Lookslikethatwasactuallyjustatypointhearticle.I'vefixeditabove.Thanks!
rmccarthy December17,2014
[deleted]
Mysiteiscomingupasinternalservererror(https://rynopower.com/)EventhoughtheSSL
appearstobeworking.(Greenlockisshowing)UsingPositiveSSLfromNamecheap.SSL
checking:https://www.sslchecker.com/sslchecker
RunningoffoftheWordpressUbuntu14.04Image.
Createdtheca-bundlewiththefourfilesprovidedbyNamecheap:
catrynopower_com.crtCOMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crtAddTrustExternalCARoot.crt>rynopower.ca-bundle
Allfilesarecurrentlyin/etc/ssl/
CSRandKeythatwasgeneratedareinthesamefoldercurrently.
Relevantlinesfordefault-ssl.conf:
<IfModulemod_ssl.c>
<VirtualHost_default_:443>
ServerAdminwebmaster@localhost
ServerNamerynopower.com:443
SSLEngineon
SSLCertificateFile/etc/ssl/rynopower_com.crt
SSLCertificateKeyFile/etc/ssl/rynopower.key
SSLCertificateChainFile/etc/ssl/rynopower.ca-bundle
Anyideawhymysitewouldn'tworkonhttps?Itstillworksfineonhttp,andthelockcomesup
forhttps,justnocontent
manicas December17,2014
Istherestofyourdefault-ssl.confcorrect?
Idon'tseeanythinginparticularlywrong.Butmaybeyoumight.
Hereisthefullfile.
http://pastebin.com/ERz5ppr7
raafat January6,2015
HIthere,thankyouforthisgreatarticle...whenmyssl-providerissuedmysslcertificationigot
withthecertificationtwomorefiles,first:COMODORSAAddTrustCA,second:
COMODORSADomainValidationSecureServerCA
butinyourarticleyoudid'tmentionanythingaboutthosemorecertifications,socanyougive
mesomeexplanationaboutthosemorecertifications?wherewouldiusethem?
Bestregards
manicas January6,2015
AreyouusingNginx?Ifso,youwillwanttocombinethefilesintothe"chained"certificate
fileinaparticularorder:
1. example.com.crt
2. COMODORSADomainValidationSecureServerCA.crt
3. COMODORSAAddTrustCA.crt
4. AddTrustExternalCARoot.crt
Oryoucanrunthiscommandtodothesamething(substitutethenameofyourcertificate):
catexample.com.crtCOMODORSADomainValidationSecureServerCA.crtCOMODORSAAddTrustCA.c
[deleted]
Whataboutapache?
gregoryseanelia April21,2015
Didyoufigurethisoutforapache?
Anyhelpwouldbeappreciated.
manicas April21,2015
Placetheintermediatecertificatesinto intermediate.crt ,thenfollowtheinstructionsin

theApachesectionofthistutorial.
jonathan January6,2015
"freeStartSSLcertificatesarenottrustedbysomebrowsers".
Hmm,doyouhaveanyevidenceofthat?I'mgettinganA+ratingfromtheQualisystestwitha
freeStartSSLcertificate,andI'veneverheardofanycurrentbrowserrejectedastartSSL
certificate.
MightalsobeworthmentioningCloudflare'sfreeUniversalSSLoffering,which"hides"afree
server-signedkeybehinda"valid"keyfor"endtoend"SSL,orevenofferstomakeANY
websiteSSL,withoutaserver-sidecertificateneeded.
https://blog.cloudflare.com/introducing-universal-ssl/
aaronhong June27,2015
Therearesomeevidence.HaveyoueverheardofCACert?
TheyofferfreeSSLcertificatesundertheirownroot-notallmajorbrowserssupportit
though(notintheirtruststore/storage).
testmyxss420 January7,2015
Thanksforhelp
testmyxss420 January7,2015
gdd
stiuvert0007 January23,2015
ThankyouforyourguideImanagedtoworkbutIchangedthedirectoryofthesslfilesand
nowycannotmakeitwork.
Ihave2domainstilabmx.com(default)anddianamejia.tkonLEMPwithubuntu14.04.
WhenIentertotilabmx.comtheservershowsmedianamejia.tk(beforesettingupSSL
everythingwasworkingfine)
Myconffileis:
server{
listen443ssldefaultserver;
listen[::]:443defaultserveripv6only=on;
root/var/www/tilabmx.com/html;
indexindex.phpindex.htmlindex.htm;
#Makesiteaccessiblefromhttp://localhost/
server_nametilabmx.comwww.tilabmx.com;
rewrite^/(.*)https://tilabmx.com/$1permanent;
ssl_certificate/home/stiuvert0007/tilabmx.com.chained.crt;
ssl_certificate_key/home/stiuvert0007/tilabmx.com.key;
ssl_protocolsTLSv1TLSv1.1TLSv1.2;
anyidea?
Thankyouinadvance!
ChecktheNginxerrorlog( /var/log/nginx/error.log ).Itprobablyhastodowith

permissionsofthefilesandtheircontainingdirectories.
Thankyouverymuchforyouranswer!Whataretheappropiatepermissions?
WhenIrun"sudocat/var/log/nginx/error.log"nothingopens,likeifthereisnofile
Regardingthepermissions,theSSLcertsandkeysneedtobereadablebytheuserthatis
startingtheNginxmasterprocess.ItsoundslikeNginxisn'treportinganyerrors,sothatis
probablynottheissue.
Areyouaccessingyoursitewith https insteadof http ?
Youprobablydelete rewrite^/(.*)https://tilabmx.com/$1permanent;
Thenaddthistothetopofyourconfigfile(ifyouwanthttptoredirecttohttps):
server{
listen80;
server_nametilabmx.com;
}
Againthankyoumanicas!Andsorryforallthequestions.Ireallyappreciateyourhelp.
Finallyit'sworking!Myconffileisasfollows:
server{
listen80default_server;
listen[::]:80default_serveripv6only=on;
}
afterthatIadded
server{
listen443;
sslon;
ssl_certificate/home/stiuvert0007/tilabmx.com.chained.crt;
ssl_certificate_key/home/stiuvert0007/tilabmx.com.key;
ssl_session_timeout5m;
ssl_protocolsSSLv3TLSv1TLSv1.1TLSv1.2;
#ssl_ciphers"HIGH:!aNULL:!MD5orHIGH:!aNULL:!MD5:!3DES";**<<<Thisisthedefa
location/{
try_files$uri$uri/=404;
}
}
Idon'tknowwhyifIputeverythinginthesameserverblockitdoesn'twork.
emraydn12 January31,2015
Ithinkyouforgotmentionthatwehavetoput SSLEngineon statementinsideApacheconfig

file.Itdidn'tworkformeunlessIaddedthatonApachev2.4.7.
arjun February11,2015
+1forthis.
Need SSLEngineon forApachev2.4.7
manicas February23,2015
Thanks!Updated.
edawebdesign February22,2015
Verycomprehensiveguide,thanks.
Onecommandthathelpedmedebugwas:
sudonginxt
Thattestsyourconfigtomakesureitisvalidandwillreportanyerrors.
beslergokhan March3,2015
IamattheendofitbutcannotrunSSLCACertificateFile/home/abc/intermediate.crtand
SSLCertificateChainFile/home/abc/intermediate.crt.bothreturnscommandnotfounderroron
Ubuntu14.04withapache2.4.7.
manicas March3,2015
Thosearen'tcommandsthatyoushouldrun.AddthosetoApacheconfigurationfile.
kmsitlhou March12,2015
Hello,amnotabletoredirecthttptohttps.Amusingapache2.Couldyoupleaseverify.
kiran926439 March20,2015
HiI'mtryingtosetupaSSLcertandgettingthiserror:
SSLCTXusePrivateKeyfile("/home///example.com.key")failed(SSL:error:0B080074:x509
certificateroutines:X509checkprivate_key:keyvaluesmismatch)
10k September2,2015
Iamhavingthesameissuewereyouabletosolvethis?
kennethtrueman March21,2015
Notsurewheretobegintobehonest.IamusingaWordPressdropletwithApacheand
Ubuntu14.04.IhaveaComodoSSLcertificatewitha.crtfileand.bundlefile.Ifollowedthe
instructions,makingadjustmentstothenaming.Itriedtheinstructionshereregardingthe
defaultconffileandItriedtheinstructionsfromComodoat
https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/637/37/for
Apache&mod_ssl.
Ihavekeysandcrtandbundlefilesinboth/home/myusername/andinthe/etc/ssl/directory
Mymodified000-default.conffeaturesthefollowing:
Listen443http
<VirtualHost*:80>
ServerNamewww.digitera.com
Redirectpermanent/https://www.digitera.com/
</VirtualHost>
<VirtualHost*:443>
ServerNamewww.digitera.com
SSLEngineon
SSLCertificateFile/etc/ssl/digitera_com.crt
SSLCertificateKeyFile/etc/ssl/digitera.com.key
SSLCertificateChainFile/etc/ssl/digitera_com.cabundle
ServerAdminwebmaster@localhost
DocumentRoot/var/www/html
ErrorLog${APACHE_LOG_DIR}/error.log
CustomLog${APACHE_LOG_DIR}/access.logcombined
</VirtualHost>
IaddedtheListencommandafterseeingitonaUbuntuforum.
IgetthefollowingerrorinFirefoxwhenItrytoconnectviahttps://www.digitera.com
Anerroroccurredduringaconnectiontowww.digitera.com.SSLreceivedarecordthat
Inthecommentssection,Mitchellmentionedthedefault-ssl.conffile,butthatisnotpartofthe
coretutorial.
WhichinstructionsshouldIbefollowing?TheinstructionsfromComodo,theoneshere?
ShouldIbemodyifyingjustthe000-default.conffileorthedefault-ssl.confoneaswell?
ShouldIbeleavingthe.bundlefilenamealoneorshouldIrenameittomatchtheconvention
thatisindicatedinthebasetutorial?
Help!!!
Ken
manicas March23,2015
WhichversionofApacheareyouusing?Ifit'sa2.4.x,tryreplacing
SSLCertificateChainFile with:
SSLCACertificateFile/etc/ssl/digitera_com.cabundle
LoadMoreComments
ThisworkislicensedunderaCreative
CommonsAttribution-NonCommercial-
ShareAlike4.0InternationalLicense.

Copyright2015DigitalOceanInc.
Community Tutorials Questions Projects Tags RSS
Terms,Privacy,&Copyright Security ReportaBug GetPaidtoWrite

How To Install An SSL Certificate From A Commercial Certificate Authority - DigitalOcean

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

How To Install An SSL Certificate From A Commercial Certificate Authority - DigitalOcean

Încărcat de

Drepturi de autor:

Formate disponibile

10/1/2015 HowToInstallanSSLCertificatefromaCommercialCertificateAuthority|DigitalOcean

SingleDomain:Usedforasingledomain,e.g. example.com .Notethatadditional

certificatefor *.example.com canalsobeusedfor www.example.com and

asingledomain-pricedcertificatethatworksfor www. andthedomainbasename,e.g.

Togenerateaprivatekey,called example.com.key ,andaCSR,called example.com.csr ,

Thiswillgeneratea .key and .csr file.The .key fileisyourprivatekey,andshouldbe

Note:IfyourequestasingledomaincertificatefromRapidSSLforthe www subdomainof

keyandCSR.Namethecertificatewiththedomainnameanda .crt extension,e.g.

ExtracttheZIParchive.Itshouldcontaintwo .crt files;yourSSLcertificate(whichshould

thatrunsthewebservermasterprocess(usually root )canaccess.Theprivatekey

certificates(inthe intermediate.crt file).Wewillassumethattheyareinyourhome

Assumingyourcertificatefileiscalled example.com.crt ,usethiscommandtocreatea

AssumingwanttoaddSSLtoyour default serverblockfile,openthefileforediting:

Findandmodifythe listen directive,andmodifyitsoitlookslikethis:

Thenfindthe server_name directive,andmakesurethatitsvaluematchesthecommon

Findthe <VirtualHost*:80> entryandmodifyitsoyourwebserverwilllistenonport

Thenaddthe ServerName directive,ifitdoesn'talreadyexist(substituteyourdomain

TestitoutbyaccessingyoursiteviaHTTPS,e.g. https://example.com .Youwillalso

Heart 102 Share Subscribe

Removedthe <^> fromthecommand,anditappearstohaveworkedcorrectlynow.

Placetheintermediatecertificatesinto intermediate.crt ,thenfollowtheinstructionsin

ChecktheNginxerrorlog( /var/log/nginx/error.log ).Itprobablyhastodowith

Areyouaccessingyoursitewith https insteadof http ?

Ithinkyouforgotmentionthatwehavetoput SSLEngineon statementinsideApacheconfig

Need SSLEngineon forApachev2.4.7

Community Tutorials Questions Projects Tags RSS

Terms,Privacy,&Copyright Security ReportaBug GetPaidtoWrite

S-ar putea să vă placă și