You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This guide details the process for creating a self-signed SSL certificate, suitable for personal use or for applications used internally within an organization. The end product may be used with SSL-capable software such as web or email servers. We assume that you've followed the steps outlined in our [Getting Started guide](/docs/getting-started/), and that you're logged into your Linode as root via a shell session.
18
+
This guide details the process for creating a self-signed SSL certificate, suitable for personal use or for applications used internally within an organization. We assume that you've followed the steps outlined in our [Getting Started guide](/docs/getting-started/), and that you're logged into your Linode as the root user. If you intend to use your SSL certificate on a website powered by Apache, you can continue to our [SSL Certificates with Apache on CentOS 7](/docs/security/ssl/ssl-apache2-centos) guide once you've completed the process outlined here.
19
+
20
+
For an SSL setup with the Nginx web server, please start with our [Nginx and SSL](/docs/security/ssl/provide-encrypted-resource-access-using-ssl-certificates-on-nginx) guide.
This guide details the process for creating a self-signed SSL certificate on Debian or Ubuntu. Self-signed certificates are suitable for personal use or for applications used internally within an organization. We assume that you've followed the steps outlined in our [Getting Started guide](/docs/getting-started/), and that you're logged into your Linode as root via a shell session.
18
+
This guide details the process for creating a self-signed SSL certificate on Debian or Ubuntu. Self-signed certificates are suitable for personal use or for applications used internally within an organization. We assume that you've followed the steps outlined in our [Getting Started guide](/docs/getting-started/), and that you're logged into your Linode as the root user. If you intend to use your SSL certificate on a website powered by Apache, you can continue to our [SSL Certificates with Apache on Debian & Ubuntu](/docs/security/ssl/ssl-apache2-debian-ubuntu) guide once you've completed the process outlined here.
19
+
20
+
For an SSL setup with Nginx, please start with our [Nginx and SSL](/docs/security/ssl/provide-encrypted-resource-access-using-ssl-certificates-on-nginx) guide.
Copy file name to clipboardExpand all lines: docs/security/ssl/obtaining-a-commercial-ssl-certificate-centos-fedora.md
+71-11Lines changed: 71 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -21,29 +21,39 @@ For an SSL setup with Nginx, please start with our [Nginx and SSL](/docs/securit
21
21
22
22
If you're hosting multiple websites with commercial SSL certificates on the same IP address, you'll need to use the [SNI](https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI) extension of TLS. SNI is accepted by most modern web browsers, but if you expect to receive connections from clients running legacy browsers (Like Internet Explorer for Windows XP), you will need to [contact support](/docs/platform/support) to request an additional IP address.
23
23
24
-
{: .note}
25
-
>
26
-
>This guide assumes that you are logged in as the root user, and that you will not need to prepend commands with `sudo`.
24
+
## Before You Begin
25
+
26
+
1. Complete our [Getting Started](/docs/getting-started)and [Securing Your Server](/docs/securing-your-server) guides.
27
27
28
-
## Install OpenSSL
29
28
30
-
Issue the following commands to install required packages for OpenSSL, the open source SSL toolkit.
29
+
2. Ensure that your packages are up to date by running `yum upgrade`
31
30
32
-
yum update
33
-
yum install openssl
31
+
32
+
3. Log in to your Linode as the root user, or escalate to root privileges.
34
33
35
34
## Create a Certificate Signing Request
36
35
37
-
Issue these commands to create a certificate signing request (CSR) for the site that will be using SSL. Be sure to change "example.com" to reflect the fully qualified domain name (subdomain.example.com) of the site you'll be using SSL with. Leave the challenge password blank. We entered 365 for the days parameter to the command, as we would be paying for one year of SSL certificate verification from a commercial certificate authority (CA).
36
+
Issue these commands to create a certificate signing request (CSR) for the site that will be using SSL. Be sure to change "example.com" to reflect the fully qualified domain name (subdomain.example.com) of the site you'll be using SSL with. Leave the challenge password blank.
38
37
39
38
{: .note}
40
39
>
41
-
>While some CA providers will automatically include the "www" subdomain when issuing certificates for a root domain such as example.com, others do not. If you wish to secure multiple subdomains using the same certificate, you will need to create a [wildcard certificate](https://en.wikipedia.org/wiki/Wildcard_certificate) or make use of [subject alternative names](https://www.linode.com/docs/security/ssl/multiple-ssl-sites-using-subjectaltname).
40
+
>While some CA providers will automatically include the "www" subdomain when issuing certificates for a root domain such as example.com, others do not. If you wish to secure multiple subdomains using the same certificate, you will need to create a [wildcard certificate](https://en.wikipedia.org/wiki/Wildcard_certificate).
Here are the values we entered for our example certificate. Note that you can ignore the extra attributes.
46
+
The first command navigates to the `/etc/ssl` directory. The second command generates a secure key, as well as a certificate signing request. A brief explanation of the options used:
47
+
48
+
*`-nodes` instructs OpenSSL to create a certificate that does not require a passphrase. If this option is excluded, you will be required to enter the the passphrase in the console each time the application using it is restarted.
49
+
50
+
*`-days` determines the length of time in days that the certificate is being issued for. We entered 365 for the days parameter to the command, as we would be paying for one year of SSL certificate verification from a commercial certificate authority (CA).
51
+
52
+
*`rsa:` allows you to specify the size of the RSA key. In this case we've chosen 2048 bits as this is the recommended minimum size.
53
+
54
+
*`-sha256` ensures that the certificate request is generated using 265-bit SHA (Secure Hash Algorithm).
55
+
56
+
Here are the values we entered for our example certificate. Note that you can ignore the 'extra' attributes.
Once you've downloaded your root certificate, you can add it to the `/etc/pki/tls/certs` directory. For example, if you were to download a root certificate for Verisign, you would save it to `/etc/pki/tls/certs/verisign.cer`.
106
+
## Adding Your Root Certificate to the CA Bundle
107
+
108
+
You can add root certificates to the bundle by enabling dynamic CA configuration:
109
+
110
+
update-ca-trust force-enable
111
+
112
+
Next you'll need to copy the certificate file over to the appropriate directory, and then update the bundle:
In some cases, CAs have not submitted a Trusted Root CA Certificate to some or all browser vendors. Because of this, you can choose to *chain* roots for certificates to be trusted by web browsers. If you receive several files from your CA ending with `.crt`(collectively referred to as a `chained SSL certificate`), they must be linked into one file, in a specific order, to provide full support with most browsers. The following example uses a chained SSL certificate that was signed by Comodo. Enter the following command to prepare your chained SSL certificate:
Copy file name to clipboardExpand all lines: docs/security/ssl/obtaining-a-commercial-ssl-certificate-debian-ubuntu.md
+67-11Lines changed: 67 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -21,29 +21,36 @@ For an SSL setup with Nginx, please start with our [Nginx and SSL](/docs/securit
21
21
22
22
If you're hosting multiple websites with commercial SSL certificates on the same IP address, you'll need to use the [SNI](https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI) extension of TLS. SNI is accepted by most modern web browsers, but if you expect to receive connections from clients running legacy browsers (Like Internet Explorer for Windows XP), you will need to [contact support](/docs/platform/support) to request an additional IP address.
23
23
24
-
{: .note}
25
-
>
26
-
>This guide assumes that you are logged in as the root user, and that you will not need to prepend commands with `sudo`.
24
+
## Before You Begin
27
25
28
-
## Install OpenSSL
26
+
1. Complete our [Getting Started](/docs/getting-started) and [Securing Your Server](/docs/securing-your-server) guides.
29
27
30
-
Issue the following commands to install required packages for OpenSSL, the open source SSL toolkit.
28
+
2. Ensure that your packages are up to date by running `apt-get update && apt-get upgrade`.
31
29
32
-
apt-get update && apt-get upgrade
33
-
apt-get install openssl
30
+
3. Log in to your Linode as the root user, or escalate to root privileges.
34
31
35
32
## Create a Certificate Signing Request
36
33
37
-
Issue these commands to create a certificate signing request (CSR) for the site that will be using SSL. Be sure to change "example.com" to reflect the fully qualified domain name (subdomain.example.com) of the site you'll be using SSL with. Leave the challenge password blank. We entered 365 for the days parameter to the command, as we would be paying for one year of SSL certificate verification from a commercial certificate authority (CA).
34
+
Issue these commands to create a certificate signing request (CSR) for the site that will be using SSL. Be sure to change "example.com" to reflect the fully qualified domain name (subdomain.example.com) of the site you'll be using SSL with. Leave the challenge password blank.
38
35
39
36
{: .note}
40
37
>
41
-
>While some CA providers will automatically include the "www" subdomain when issuing certificates for a root domain such as example.com, others do not. If you wish to secure multiple subdomains using the same certificate, you will need to create a [wildcard certificate](https://en.wikipedia.org/wiki/Wildcard_certificate) or make use of [subject alternative names](https://www.linode.com/docs/security/ssl/multiple-ssl-sites-using-subjectaltname).
38
+
>While some CA providers will automatically include the "www" subdomain when issuing certificates for a root domain such as example.com, others do not. If you wish to secure multiple subdomains using the same certificate, you will need to create a [wildcard certificate](https://en.wikipedia.org/wiki/Wildcard_certificate).
Here are the values we entered for our example certificate. Note that you can ignore the extra attributes.
43
+
The first command navigates to the `/etc/ssl` directory. The second command generates a secure key, as well as a certificate signing request. A brief explanation of the options used:
44
+
45
+
*`-nodes` instructs OpenSSL to create a certificate that does not require a passphrase. If this option is excluded, you will be required to enter the the passphrase in the console each time the application using it is restarted.
46
+
47
+
*`-days` determines the length of time in days that the certificate is being issued for. We entered 365 for the days parameter to the command, as we would be paying for one year of SSL certificate verification from a commercial certificate authority (CA).
48
+
49
+
*`rsa:` allows you to specify the size of the RSA key. In this case we've chosen 2048 bits as this is the recommended minimum size.
50
+
51
+
*`-sha256` ensures that the certificate request is generated using 265-bit SHA (Secure Hash Algorithm).
52
+
53
+
Here are the values we entered for our example certificate. Note that you can ignore the 'extra' attributes.
Once you've downloaded your root certificate, you can add it to the `/etc/ssl/certs` directory. For example, if you were to download a root certificate for Verisign, you would save it to `/etc/ssl/certs/verisign.cer`.
103
+
## Adding Your Root Certificate to the CA Bundle
104
+
105
+
If your ca-certificates bundle does not include your certificate authority's root cert, you can add it manually by moving the file to the source directory:
Issue this command to update the bundle with your new root certificate:
110
+
111
+
update-ca-certificates
112
+
113
+
## Preparing a Chained SSL Certificate
114
+
115
+
In some cases, CAs have not submitted a Trusted Root CA Certificate to some or all browser vendors. Because of this, you can choose to *chain* roots for certificates to be trusted by web browsers. If you receive several files from your CA ending with `.crt`(collectively referred to as a `chained SSL certificate`), they must be linked into one file, in a specific order, to provide full support with most browsers. The following example uses a chained SSL certificate that was signed by Comodo. Enter the following command to prepare your chained SSL certificate:
0 commit comments