How to buy a HTTPS SSL certificate (HTTPS Everywhere – Part 3)

In Part 2 of our HTTPS Everywhere series we explained the differences between the different types of certificates.

In this part we’ll explain how you can buy a certificate from a Certificate authority.

You should choose a Certificate Authority which is trusted by both current and older browsers/operating systems for maximum compatibility. These include, but are not limited to:

• GlobalSign
• Network Solutions
• Symantec
• Thawte
• Trustwave
• Comodo

You can view daily updated reports of the market shares of the leading Certificate Authorities at http://w3techs.com/technologies/overview/ssl_certificate/all

Because of better pricing we have chosen to buy a certificate from Comodo. They also support generating 2048 bit certificates for better security.

Many companies resell certificates from the above Certificate Authorities. They are the exact same certificates, but come with a reduced price tag. We recommend you to shop around.

One such reseller we recommend and use is the SSLStore which we will use in the example ordering process below.

Generate a Certificate Signing request

When ordering a Certificate from a Certificate Authority you’ll need to create a Certificate Signing request. (CSR)

A Certificate Signing request is file with encrypted text that is generated on the server where the certificate will be used on. It contains various details like your organization name, the common name (=domain name), email address, locality and country. It also contains your public key; which the Certificate Authority will put into your certificate.

When we create the Certificate Signing request below we will also generate a private key. The Certificate Signing request will only work with the private key that was generated with it. The private key will be needed for the certificate you’ll buy, to work.

Here is how you can create the Certificate Signing request on your server:

Let’s explain the openSSL parameters in detail:

• req: activates the part of openssl that deals with certificate requests signing
• -nodes: no des, stores the private key without protecting it with a passphrase. While this is not considered to be best practice, many people do not set a passphrase or later remove it, since services with pass phrase protected keys can not be auto-restarted without typing in the passphrase
• -newkey: generate a new private key
• rsa:2048 1024 is the default bit length of the private key. We will use 2048 bit keys because our Certificate Authority supports this and is required for certificates which expire after October 2013
• -sha256: used by certificate authorities to generate a SHA-2 certificates (which is more secure then SHA-1)
• -keyout myprivatekey.key: store the private key in a file called myprivatekey.key (in PEM format)
• -out certificate-signing-request.csr: store the certificate request in a file called certificate-signing-request.csr

When launching the above command you’ll be asked to enter information that will be incorporated into your certificate request.

There are quite a few fields but you can leave some blank. For some fields there will be a default value (displayed in […] brackets). If you enter ‘.’, the field will be left blank.

• Country Name (2 letter code) [AU]: eg. BE for Belgium
• State or Province Name (full name) [Some-State]
• Locality Name (eg. city) []
• Organization Name (eg. company) [Internet Widgits Pty Ltd]: Wim Bervoets
• Organizational Unit Name (eg, section) []:
• Common Name (e.g. server FQDN or YOUR name) []: this is an important setting which we will discuss below.
• Email Address []: email address which will be in the certificate and used by the Certificate Authority to verify your request . Make sure this email is valid & you have access to it. The email address should also match with the email address in the DNS contact emails used for the particular domain you’re requesting a certificate for.

The Common Name should be the domain name you’re requesting a certificate for. eg. www.mywebsite.com

This should include the www or the subdomain you’re requesting a certificate for.

If you want to order a wildcard certificate which is valid for all subdomains you should specify this with a star; eg. *.mywebsite.com

OpenSSL will now ask you for a few ‘extra’ attributes to be sent with your certificate request:

* a challenge password []: leave empty
* an optional company name []: leave empty

Now we can download the freshly generated csr file and use it when ordering our SSL certificate at the SSLStore.

Ordering a certificate

Let’s suppose we want a Comodo Wildcard certificate. Go to https://www.thesslstore.com/wildcardssl-certificates.aspx?aid=52910623 and click on the Add To cart button next to ‘Comodo EssentialSSL Wildcard certificate‘.

Next you’ll be asked for your billing details and credit card information. After completing these steps an email will be sent with a link to the Configure SSL service of Comodo (together with a PIN)

Here you’ll also need to provide the Certificate Signing request you have generated in the previous section.

After completing these steps, your domain will be validated by Comodo. Depending on the type of certificate this will take a few hours to one week to complete.

As we didn’t choose an Extended Validation certificate, this validation was quick and we soon received a ‘Domain Control Validation’ email with another validation code for our certificate we requested.

This email was sent to the DNS contacts listed for our domain.

After entering the validation code on the Comodo website, the certificate was emailed to our email address.

In Part 4 we will show you how to install your https certificate in the nginx webserver.