SSL Certificate signed by Authorities

Well, you can sign your SSL certificates your self using OpenSSL library. You can visit this link to learn more about generating SSL CSR and Private Key.  One disadvantage with this kind of approach is that browsers do not trust the certificates signed by you. These type of certificates are called self signed certificates. So, your visitor will face weird situations likecerti1

This will definitely affect your business.

Solution

Unfortunately we need to pay certification authorities like Comodo SSL, Digi-Cert, etc to verify our certificates. To get the verified certificate we need to supply the provider with Certificate Signing Request(CSR) file which we generated using OpenSSL or we can get from services like Heroku or Our Hosting service provider.

Note: Giant providers can be much more expensive so you can try re-sellers like www.namecheap.com for cheaper rates.

Generating CSR Using Heroku

$ heroku certs:generate *.my-domain.com -a myherokuapp

will prompt to enter details one-by-one

Generating CRT

Normally you need to open the .csr file in text editor, copy and paste the content into some text-area field in the authority’s website.

Then they will verify if you are the real owner of that particular domain. You can either verify via Email, HTTP or DNS verification. You have to prove that you own that website.

  • Email: A verification email is sent which you need to read and click the verification link.
  • HTTP: They will provide you a plain text file; which you need to put into the server via FTP or SSH and make sure the file is accesible via http://www.your-domain.com/theverificationfile.txt
  • DNS Verification: You must create a special CNAME record in the DNS records for your domain. This record will be also provided after the activation..

Depending on the certificate type or brand, you may be asked for different types of information. Certificates that require business validation, for example, will require the business’ or company’s information. Non-mandatory fields are shown with an “Optional” tag. Administrator’s contact information must be submitted using latin characters (Aa-Zz) and digits (0-9) only.

After verification they will normally provide you with .crt and .ca-bundle or .p7b file

 

How Certificate verification works

 

Setting up your new SSL Certificate

Heroku

Put your .crt and .key file in a directory. Chdir to that path. and run

$ heroku certs:add [server.crt] [server.key] -a myherokuapp
Resolving trust chain... done
Adding SSL Endpoint to myherokuapp... failed
 ! Only one SSL endpoint is allowed per app (try certs:update instead).

well, then I need to update

$ heroku certs:update server.crt server.key -a myherokuapp
Resolving trust chain... done

! WARNING: Potentially Destructive Action
 ! This command will change the certificate of endpoint yamanashi-6XX7.herokussl.com on myherokuapp.
 ! To proceed, type "myherokuapp" or re-run this command with --confirm myherokuapp

> thepact
Updating SSL Endpoint yamanashi-6XX7.herokussl.com for myherokuapp... done
Updated certificate details:
Common Name(s): *.my-domain.com
 my-domain.com

Expires At: 2017-04-17 23:59 UTC
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
Starts At: 2016-04-15 00:00 UTC
Subject: /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.my-domain.com
SSL certificate is verified by a root authority.

Getting Private Key File if generated by Host Provider

If you have not manually generated .csr then you probably don’t have your Private Key file with you; which is important to set up the certificate to your web server. You probably have access to your host server via FTP or SSH. You can find the corresponding PrivateKey and CSR file over there.

Why would I need to download Private key if its already in my host server and works perfect?

-> Well, if your my-domain.com is hosted in one server and other subdomain.my-domain.com in another server, then you need the pair (.csr and .key) file to certify your server.

Useful links

https://www.namecheap.com/support/knowledgebase/article.aspx/794/67/how-do-i-activate-an-ssl-certificate

One thought on “SSL Certificate signed by Authorities

  1. 1. Why not straightly buy it from comodo? It’s cheaper.
    2. No need in paying for DV, ’cause Let’s Encrypt issues it for free and it’s no less secure.
    3. If ur site is large and need an EV or better cert then just go to better sites like Network Solutions

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s