How to Acquire and Install an SSL Certificate

Introduction

This tutorial will show you how to acquire and install an SSL certificate from a trusted, commercial Certificate Authority (CA). SSL certificates allow web servers to encrypt their traffic, and also offer a mechanism to validate server identities to their visitors. Websites using SSL are accessed via the https:// protocol.

Before the mid-2010s, many smaller websites did not always use SSL or HTTPS. Since then, expectations of security have increased, and the Let’s Encrypt project was created to provide free, trusted SSL certificates at scale, allowing almost everyone to use HTTPS as needed.

However, there are some limitations to Let’s Encrypt’s certificates. They expire every 3 months, typically requiring you to have a functioning auto-renewal script in place, and can be awkward to use in environments where this is not possible. Let’s Encrypt also does not provide Extended Validation certificates which validate the legal ownership of your web presence, or Wildcard Certificates that will automatically match every possible subdomain of your website (such as shop.example.com) without you having to register each of them manually.

For most users, these will not be significant limitations. Let’s Encrypt is a popular option for many personal and commercial websites. However, if you have particular enterprise software requirements, or a very large commercial operation, you should consider purchasing a certificate from a commercial CA.

This tutorial covers how to select and deploy an SSL certificate from a trusted certificate authority. After you have acquired your SSL certificate, this tutorial will cover installing it on the Nginx and Apache web servers.

Prerequisites

There are several prerequisites to attempting to obtain an SSL certificate from a commercial CA:

• A registered domain name. This tutorial will use example.com throughout. You can purchase a domain name from Namecheap, get one for free with Freenom, or use the domain registrar of your choice.
• Access to one of the email addresses on your domain’s WHOIS record or to an “admin type” email address at the domain itself. Certificate authorities that issue SSL certificates will typically validate domain control by sending a validation email to one of the addresses on the domain’s WHOIS record, or to a generic admin email address at the domain itself. To be issued an Extended Validation certificate, you will also be required to provide the CA with paperwork to establish the legal identity of the website’s owner, among other things.
• DNS records set up for your server.
• This tutorial will provide configuration instructions for an Ubuntu 22.04 server set up by following this initial server setup for Ubuntu 22.04 tutorial, including a sudo-enabled non-root user and a firewall. Most modern Linux flavors will work similarly.
• You should also have a web server like Nginx or Apache installed. Be sure that you have a server block (or Apache virtual host) for your domain.

Step 1 – Choosing Your Certificate Authority

If you are not sure which Certificate Authority to use, there are a few factors to consider:

Root Certificate Program Memberships

The most crucial point is that the CA that you choose is a member of the root certificate programs of the most commonly used operating systems and web browsers, i.e., it is a “trusted” CA, and its root certificate is trusted by common browsers and other software. If your website’s SSL certificate is signed by a trusted CA, its identity is considered to be valid by software that trusts the CA.

Most commercial CAs that you will encounter will be members of the common root CA programs, but it does not hurt to check before making your certificate purchase. For example, Apple publishes its list of trusted SSL root certificates.

Certificate Types

Ensure that you choose a CA that offers the certificate type that you require. Many CAs offer variations of these certificate types under a variety of names and pricing structures. Here is a short description of each type:

• Single Domain: Used for a single domain, e.g., example.com. Note that additional subdomains, such as www.example.com, are not included.
• Wildcard: Used for a domain and any of its subdomains. For example, a wildcard certificate for *.example.com can also be used for www.example.com and store.example.com.
• Multiple Domain: Known as a SAN or UC certificate, these can be used with multiple domains and subdomains that are added to the Subject Alternative Name field. For example, a single multi-domain certificate could be used with example.com, www.example.com, and example.net.

In addition to the aforementioned certificate types, there are different levels of validations that CAs offer:

• Domain Validation (DV): DV certificates are issued after the CA validates that the requestor owns or controls the domain in question.
• Organization Validation (OV): OV certificates can be issued only after the issuing CA validates the legal identity of the requestor.
• Extended Validation (EV): EV certificates can be issued only after the issuing CA validates the legal identity, among other things, of the requestor, according to a strict set of guidelines. The purpose of this type of certificate is to provide additional assurance of the legitimacy of your organization’s identity to your site’s visitors. EV certificates can be single or multiple domain, but not wildcard.

Additional Features

Many CAs offer a large variety of “bonus” features to differentiate themselves from the rest of the SSL certificate-issuing vendors. Some of these features can end up saving you money, so it is important that you weigh your needs against the offerings before making a purchase. Examples of features to look out for include free certificate reissues or a single domain-priced certificate that works for both www. and the domain base name, e.g., www.example.com with a SAN of example.com.

Step 2 – Generating a CSR and Private Key

After you have your prerequisites sorted, and you know the type of certificate you need, it’s time to generate a certificate signing request (CSR) and private key.

If you are planning on using Apache HTTP or Nginx as your web server, you can use the openssl command to generate your private key and CSR on your web server. In this tutorial, you can keep all of the relevant files in your home directory, but feel free to store them in any secure location on your server:

openssl req -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr

At this point, you will be prompted for several lines of information that will be included in your certificate request. The most important part is the Common Name field, which should match the name that you want to use your certificate with – for example, example.com, www.example.com, or (for a wildcard certificate request) *.example.com. If you are planning on getting an OV or EV certificate, ensure that all of the other fields accurately reflect your organization or business details. Providing a “challenge password” is not necessary.

For example:

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:New York
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:example.com
Email Address []:sammy@example.com

This will generate a .key and .csr file. The .key file is your private key and should be kept secure. The .csr file is what you will send to the CA to request your SSL certificate.

List your generated files to confirm:

ls example.com*

To print the contents of your CSR, use the following command:

cat example.com.csr

Step 3 – Purchasing and Obtaining a Certificate

There are many commercial CA providers, and you can compare and contrast the most appropriate options for your setup. For example, Namecheap acts as an SSL certificate reseller, offering certificates from Comodo CA. After making a selection, you will need to upload the CSR that you generated in the previous step. Your CA provider will also likely have an “Approver” step, which will send a validation request email to an address in your domain’s WHOIS record or to an administrator type address of the domain that you are getting a certificate for.

After approving the certificate, it will be emailed to the named administrator. Save them to your server in the same location where you generated your private key and CSR. Name the certificate with the domain name and a .crt extension, e.g., example.com.crt, and name the intermediate certificate intermediate.crt.

Step 4 – Updating Your Firewall to Allow HTTPS

If you have the ufw firewall enabled as recommended by our Ubuntu 22.04 setup guide, you’ll need to adjust the settings to allow for HTTPS traffic. Nginx and Apache both register a few profiles with ufw upon installation.

You can see the current settings by typing:

sudo ufw status

If you receive output containing just Nginx HTTP or Apache, only HTTP traffic is allowed to the web server:

sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'

Check the updated settings:

sudo ufw status

Make sure HTTPS traffic is enabled and HTTP traffic is removed.

Step 5 – Installing a Certificate On Your Server

Nginx

If your CA returned only an intermediate certificate, you must create a single “chained” certificate file:

cat example.com.crt intermediate.crt > example.com.chained.crt

Edit your Nginx server block configuration file:

sudo nano /etc/nginx/sites-enabled/default

Update the listen directive to enable SSL:

Apache

To manually deploy an SSL certificate on Apache, use the following steps:

Open your default Apache virtual host file for editing:

sudo nano /etc/apache2/sites-available/000-default.conf

Find the <VirtualHost *:80> entry and modify it so your web server will listen on port 443:

Add the ServerName directive, if it doesn’t already exist:

ServerName example.com

Specify your certificate and key paths:

SSLEngine on
SSLCertificateFile /home/sammy/example.com.crt
SSLCertificateKeyFile /home/sammy/example.com.key
SSLCACertificateFile /home/sammy/intermediate.crt

To redirect HTTP traffic to HTTPS, add this to the top of the file:

   ServerName example.com
   Redirect permanent / https://example.com/

Enable the Apache SSL module:

sudo a2enmod ssl

Restart Apache to load the new configuration and enable TLS/SSL over HTTPS:

sudo systemctl restart apache2

Test your site by accessing it via HTTPS (e.g., https://example.com). Also, verify the HTTP-to-HTTPS redirection is functioning as expected.

Conclusion

In this tutorial, you learned how to determine when you might need to purchase an SSL certificate from a commercial Certificate Authority (CA), how to compare and contrast the available options, and how to configure Nginx or Apache for HTTPS support. By following these steps, you can ensure your website is secure and provides trust for your visitors.