Creating an SSL certificate - step by step
Published: Sun, 26 Feb 2012 14:17:57 GMTWhat is an SSL certificate?
At its most basic level, an SSL certificate is used to encrypt electronic communication, to authenticate users or devices, and to sign electronic communication.
There are various types of SSL certificate - Web Server certificates, Email certificates, code signing certificates etc. Here, I will describe the process of creating a new SSL certificate for use on a website as this is the most common use for certificates. At some point, I may write further guides describing different types too.
What are the components of an SSL certificate?
SSL certificates contain a number of pieces of information:
Subject - the name of the entity being identified by the certificate.
Private key - never seen by the client.
Public key - associated with the private key.
Issuer - the name of the Certification Authority who has signed the certificate.
Serial number - a unique identifier for the certificate
Validity period - the start and end dates between which the certificate can be considered valid.
Usage - a description of what the associated public/private key pair can be used for.
Digital Signature - the signature of the issuer.
The certificate uses Public Key cryptography to encrypt, sign and authenticate. The private key is known only to the owner of the certificate. A piece of information encrypted with this key can only be decrypted by the associated public key.
How do we communicate securely?
Let's assume a situation where I want to communicate securely with you.
I make a connection to your web server and request your certificate.
Your server supplies the certificate which contains your public key.
I generate a master key which we will both use to encrypt our communication.
I encrypt the master key with your public key and send it to you. You are the only person who can decrypt the master key as you are the only person who knows your private key.
We have now securely exchanged a master key without anyone else being able to know it and can communicate securely.
What is signing?
In the same way you can sign a letter to 'prove' that it was written by you (assuming no one is capable of forging your signature), you can digitally sign an electronic communication to prove it was created by you - this also confirms that the content has not been changed since you signed it (and means you can't deny the document was created by you)
When you digitally sign a document, you hash the content of teh document and encrypt the hash value with your private key. This is then sent with your certificate and the document.
When I receive the signed document, I can decrypt the hash using your public key from the certificate.
I then hash the document myself and confirm the two hashes match.
But, how do I know you are you?
Communicating securely is fine, but how do I know you are who you claim to be and not someone pretending to be you?
Public Key Cryptography to the rescue again!
When you create a certificate, you can have it signed by a Certification Authority (CA) - they will do some checks to confirm your identity; generally by doing a WHOIS search against your domain name and verifying your name and address. Once they have established that you own the domain for which you are creating the certificate, they will digitally sign the certificate for you. This means they are vouching for your identity.
Every web browser comes with a list of CAs which it trusts - there are hundreds of them. When I receive your certificate, I check who it was issued by. If it was issued by a CA which I trust, I am able to confirm that it is signed by them and I know that I can trust the certificate.
Great, how do I create a web certificate then?
The high level steps to create a certificate signed by a CA are:
- Create a public/private key pair.
- Send the public key and certificate info to a trusted CA
- The CA creates and signs a certificate which contains your domain name and private key.
- You install the certificate on your web sever where it is associated with the private key.
Creating the key pair
I will use the Microsoft IIS web sever as an example because I am most familiar with it. Other web severs use similar steps.
IIS has a wizard to step you through creating a certificate...
In IIS, right-click on your website and choose 'properties'.
On the Directory Security tab, click the Server Certificate button this will open the wizard. Choose 'Create a new certificate' then 'Prepare the request now, but send it later'.
Enter the details as you are prompted for them and, at the end, save the certificate request somewhere you can find it.
You have now created the keypair and prepared a Certificate Signing Request (CSR) ready to submit to your favorite Certification Authority.
The CSR is a block of text which is uploaded to the CA as part of the enrolment process. Once enrolment is complete, the CA will provide you with your new certificate - either as some text displayed on screen or as a file in an email. Either way, it should be saved as a file on your web server.
Installing to certificate
Back in the certificate wizard in IIS, choose 'Process the pending request'
Choose the file supplied by your CA and follow the wizard to install your certificate.
The certificate should now be served when you visit the website in your browser on port 443. (https://)
You should probably make a secure backup of the certificate now by exporting it from the certificates snap-in.
For Apache servers, the CSR is created using the OpenSSL software - there are plenty of guides online.
If you have found this article useful, please consider purchasing an SSL certificate from Godaddy using my affiliate link - http://x.co/lesault - It will help me keep the site online!
Thanks.