Well, you can sign your SSL certificates your self using OpenSSL library. You can visit this link to learn more about generating SSL CSR and Private Key. One disadvantage with this kind of approach is that browsers do not trust the certificates signed by you. These type of certificates are called self signed certificates. So, your visitor will face weird situations like
This will definitely affect your business.
Unfortunately we need to pay certification authorities like Comodo SSL, Digi-Cert, etc to verify our certificates. To get the verified certificate we need to supply the provider with Certificate Signing Request(CSR) file which we generated using OpenSSL or we can get from services like Heroku or Our Hosting service provider.
Note: Giant providers can be much more expensive so you can try re-sellers like www.namecheap.com for cheaper rates.
Generating CSR Using Heroku
$ heroku certs:generate *.my-domain.com -a myherokuapp
will prompt to enter details one-by-one
Normally you need to open the .csr file in text editor, copy and paste the content into some text-area field in the authority’s website.
Then they will verify if you are the real owner of that particular domain. You can either verify via Email, HTTP or DNS verification. You have to prove that you own that website.
- Email: A verification email is sent which you need to read and click the verification link.
- HTTP: They will provide you a plain text file; which you need to put into the server via FTP or SSH and make sure the file is accesible via http://www.your-domain.com/theverificationfile.txt
- DNS Verification: You must create a special CNAME record in the DNS records for your domain. This record will be also provided after the activation..
Depending on the certificate type or brand, you may be asked for different types of information. Certificates that require business validation, for example, will require the business’ or company’s information. Non-mandatory fields are shown with an “Optional” tag. Administrator’s contact information must be submitted using latin characters (Aa-Zz) and digits (0-9) only.
After verification they will normally provide you with .crt and .ca-bundle or .p7b file
Setting up your new SSL Certificate
Put your .crt and .key file in a directory. Chdir to that path. and run
$ heroku certs:add [server.crt] [server.key] -a myherokuapp Resolving trust chain... done Adding SSL Endpoint to myherokuapp... failed ! Only one SSL endpoint is allowed per app (try certs:update instead).
well, then I need to update
$ heroku certs:update server.crt server.key -a myherokuapp Resolving trust chain... done ! WARNING: Potentially Destructive Action ! This command will change the certificate of endpoint yamanashi-6XX7.herokussl.com on myherokuapp. ! To proceed, type "myherokuapp" or re-run this command with --confirm myherokuapp > thepact Updating SSL Endpoint yamanashi-6XX7.herokussl.com for myherokuapp... done Updated certificate details: Common Name(s): *.my-domain.com my-domain.com Expires At: 2017-04-17 23:59 UTC Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA Starts At: 2016-04-15 00:00 UTC Subject: /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.my-domain.com SSL certificate is verified by a root authority.
Getting Private Key File if generated by Host Provider
If you have not manually generated .csr then you probably don’t have your Private Key file with you; which is important to set up the certificate to your web server. You probably have access to your host server via FTP or SSH. You can find the corresponding PrivateKey and CSR file over there.
Why would I need to download Private key if its already in my host server and works perfect?
-> Well, if your my-domain.com is hosted in one server and other subdomain.my-domain.com in another server, then you need the pair (.csr and .key) file to certify your server.