insights

Secure Socket Layer (SSL) Certificates

Christoph Bubel

3 min read

Why do i need SSL certificates?

SSL certificates are used to authenticate and encrypt a connection from some kind of client software to a server software. For example your web browser and a web server or your email client and a mail server.

If you are using a service like squarespace or the moniker web hosting, you can use a free certificate, you only need to activate the encryption in the admin panel. These free certificates are usually issued by letsencrypt.org.

Certificate Authorities

The issuer of a certificate is called a certificate authority or CA. The CA will validate your information before they issue the certificate.

There are three levels of validation:

Domain validation (DV)

The CA will check if you have control over the domain before they issue a certificate for you. This is usually done by sending an email to an address that is only available to the owner of a domain like admin@yourdomain.com or by asking you to put a file on a web server or creating some TXT record on the nameserver of the domain.

Organization validation (OV)

The CA will validate the organization usually by checking if it is listed in a directory but some may also try to contact you by phone or other means.

Extended validation (EV)

There are also so called extended validation certificates (EV). If you want one of those the CA will ask you to provide additional information and will somehow try to validate that information before they issue the certificate.

You can become a CA yourself but the issue here is that the client needs to trust your certificate. Web browsers and operating systems come with a huge list of CAs they trust.

Types of certificates

There are several types of certificates. A simple certificate only covers one domain name like yourdomain.com. A subdomain like www.yourdomain.com would not be covered and you would need a separate certificate for that subdomain.

There are also so called wildcard certificates that cover a domain and all its subdomains. So you would ask the CA to issue a certificate for *.yourodmain.com.

The third type is a SAN or subject alternative name certificate. They will cover more than one domain or subdomain, so for example one can cover shop.yourdomain.com, yourdomain.com, yourotherdomain.org.

Wildcard and SAN certificates are usually a lot more expensive than simple certificates. But you can get them for free at letsencrypt.org.

The only downside of letsencrypt.org is that a certificate issued by this CA is only valid for 3 months. There are tools available to automatically renew these certificates.

If you don't want to use these free certificates you can also buy a certificate.

Ordering a certificate

To order a certificate you need to create a so called certificate signing request (CSR). The CSR contains information about the domain the certificate is for and the owner of the certificate. When you create a CSR you create also a private key that is used to decrypt the data that is encrypted with the certificate.

You usually use openssl to create the CSR and key.

Here is an example:

openssl req -new -nodes -newkey rsa:2048 -keyout mycert.key -out mycert.csr
Generating a 2048 bit RSA private key
..............................................................................
................+++
....................................+++
writing new private key to 'mycert.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:US
State or Province Name (full name) []:Florida
Locality Name (eg, city) []:Miami
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:mydomain.com
Email Address []:admin@mydomain.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:

The command will create the files mycert.key (the private key) and mycert.csr (the CSR). Keep the key private and safe, anyone with access to the key can decrypt the encrypted information.

The CSR looks like this:

-----BEGIN CERTIFICATE REQUEST-----
MIICrjCCAZYCAQAwaTELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExDjAM
BgNVBAcMBU1pYW1pMRUwEwYDVQQDDAxteWRvbWFpbi5jb20xITAfBgkqhkiG9w0B
CQEWEmFkbWluQG15ZG9tYWluLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAPD2g9Zkeu9aJv1hN8ZrJa/5Xl4xRLBU8SgSnByDs7Xi3Nmdc99qtURX
N5zZsoKZ9fic15yC/GxbK6ipTJ0LDbQM9AeKNvntJte3ry1mfErlnZkqKaahr6/E
kYGpZhtSTg5KBDTAvlbFDEU3EwtrBjM6ps7F2PBMx0F/izcvmt/cLkpz5WE4otCI
l+Gkmpdd8SbxIL3njZx4FmkRgJPMF5SsszjJC2spJYh9dJNrKJ32KvgR9mi12c4j
Kq92igFFlCaAsVy2vtWwSHfMW6rPmwqlHtrTt/TCbMZhCmysL+Kn3zKxr9FcD5Np
kpEmbzCpOnbqml1WCE2Aoupews2QR5ECAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IB
AQDaytuFhnYeP6FfaMe646LVTPemn57R4YQ0jAc66nui/h88HA2bqjehu/K6BOs2
Zhi8nFLL0GVEuugni9lhag2o/b0rJxELatLCtY+UGhMSiXr/NQLA8mA0aunVszJQ
8g55dXIMXfjGU5nLmhUncsQXMXSh8vX+Oq0R8x53/cEM42DXZYBAI/6jc8gXLMGW
TCbXlSSG0txK4jxgsoSQT1I6PL1Zd2VSTqC8yCLiwhAgdTyapSiD6vHOppSdPMBd
0F9KK29D+J0T4lfoptn8YiyWoYNA6rkRcGDpH5kaX93g/FJFElW2ewLaq3HeObiL
qSXYPtHMwPhu5t5X+/PNGi8q
-----END CERTIFICATE REQUEST-----

The CA will then validate the information in the CSR as described before.

You usually have to click a link in an approval email or do one of the other validation methods. Then you will receive the certificate.

You put the key and certificate on your server and configure it to use those files to encrypt the connections.

That is basically it.