Adding an (SHA256 signed) SSL certificate
Join the DZone community and get the full member experience.Join For Free
I've had to update the SSL certificate quite a few times on jsbin.com in the last 6 months, and I keep a cheatsheet of SSL steps on my machine. So it's about time I publish it somewhere that I can google too!
This walkthrough explains how to add an SSL certificate to your server. This is based on using a linux based machine (in my case Ubuntu) and nginx as the server.
I registered my SSL certificate via namecheap from RapidSSL which is actually a shell for GeoTrust.
If you're reissuing a certificate to upgrade to SHA256 (from SHA-1) (because SHA-1 is being ditched) from RapidSSL you must reissue directly from them. See this comment for full details.
Assuming my site is example.com, I'm using
example as the main filename.
openssl genrsa -aes256 -out example-encrypted.key 2048 openssl rsa -in example-encrypted.key -out example-decrypted.key openssl req -new -sha256 -key example-decrypted.key -out example.csr
The last command will generate the CSR which will go off to your SSL issuer. I have this a cheatsheet for the prompts (if you're based in the UK, since
Locality might not mean much):
- Country name:
GB, a country code, not name
East Sussex, county if you're in the UK
Brighton, your city
My Company Ltd
- Org unit: leave empty
- Common name:
www.example.com, the full domain for the cert
- Leave the rest blank (email, challenge password & company name)
Note: if you have a wildcard certificate, then the common name is
example.csr contents to reissued SSL cert, and agree to all the emails.
You should get an email from the SSL issue with the certificate. Save the contents of 'certificate' in
Now get the intermediate certificate (I'm using RapidSSL's SHA256 cert) and combine into a single bundled file - note that the order is important:
cat example.crt intermediate.crt > bundle.crt
RapidSSL specific note: I found that the GeoTrust certificate (part of the intermediate certificate that I downloaded above) was still SHA-1 signed. So I dropped it, only bundling my own certificate and the rapidSSL certificate (so less certificates) and now I get the green lock from Chrome Canary. Note: I'm not 100% if this is okay, but it does seem valid.
Finally, make sure nginx (in my case) is using the bundle and the key used to generate the csr:
ssl on; ssl_certificate /WWW/example.com/certs/bundle.crt; ssl_certificate_key /WWW/example.com/certs/example-decrypted.key;
Then restart nginx:
nginx -s reload
References & tools:
- shaaaaaaaaaaaaa (for checking SHA-1)
- SSL labs (for deep SSL analysis)
- common openssl commands
Published at DZone with permission of Remy Sharp, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.