What is an SSL Certificate?
SSL Certificates are small data files that digitally bind a cryptographic key to an organization's details. When installed on a web server, it activates the padlock and the HTTPS protocol and allows secure connections from a web server to a browser. You used to see a green padlock icon before the browser search bar, but as of August 2020, most browsers no longer display it.
You can also get SSL for free!
You can get a free SSL using Let's Encrypt. Most developers use this as it is free, but you need to reset it often, and I was in a timecrunch and didn't want to have to every three months. (Let's Encrypt certificates are valid for 90 days. There is no way to adjust this; there are no exceptions. They recommend automatically renewing your certificates every 60 days. So the process can be automated).
Fast and easy SSL (but not free)
ICS has a Proof Of Concept(POC) project using SLO (Single Log Out) with Okta that will need an SSL certificate. So I wanted to find a fast, inexpensive way to get an SSL and add it to my Digital Ocean (DO) Ubuntu server.
So to save time, I bought an SSL Certificate. Since I use Namecheap to buy domains, I used them to pay for their cheapest SSL called PositiveSSL, which was $5.99/yr - https://www.namecheap.com/security/ssl-certificates/ (as of 6/28/2021)
I bought the domain singlelogout.com (can you believe that domain was still available?)
Here are the instructions to point the domain to DO - https://www.namecheap.com/support/knowledgebase/article.aspx/10375/2208/how-do-i-link-a-domain-to-my-digitalocean-account/
You need to point the droplet to the domain, and the following instructions walk you through those steps - https://kaloraat.com/articles/add-domain-to-digital-ocean-droplet
I used the basic Ubuntu box (1GB Memory, 25 GB Disk) to set it up. I am using SSH to log into the root with a password. best practice you should not use root but create a different user
So now...
- I have a DO droplet (server)
- My domain points to the DO droplet
- I can log into the root of my droplet using
$ ssh@1.2.3.4
and then entering my root password (make sure you put this password in a safe place because you will use it often)
But how do I add the SSL Certificate I bought on Namecheap to this DO Droplet?
How To Install an SSL Certificate from a Commercial Certificate Authority
I just bought a certificate for a single domain, and I am using the level of validation that is a Domain Validation.
Generating the CSR and Private Key
note You need to be logged into the DO droplet to do this.
Since I am using an Nginx as my webserver, I will use openssl.
To generate a private key, called example.com.key,
and a CSR, called example.com.csr,
run this command (replace the example.com
with the name of your domain):
$ openssl req -newkey rsa:2048 -nodes -keyout singlelogout.com.key -out singlelogout.csr
- At this point, you are prompted for several lines of information that are added to your certificate request
- note The most important part is the
Common Name
field which should match the name that you want to use your certificate with
I found the Common Name confusing
For Common Name,
I erroneously entered https://singlelogout.com
and this caused an error when I pasted the generated .csr
file into Namecheap. To avoid this error use the domain name for Common Name singlelogout.com
(why they call it a Common Name instead of a domain name beats me)
Here is a sample of the questions with my answers:
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Los Angeles
Locality Name (eg, city) []:Los Angeles
Organization Name (eg, company) [Internet Widgits Pty Ltd]: ICS
Organizational Unit Name (eg, section) []:
Common Name (e.g., server FQDN or YOUR name) []:singlelogout.com
Email Address []:me@ics.com
note It also asks you for a password, but in my research, the password is deprecated - so I left password blank (press enter to accept null default value)
note This will generate a
.key
and.csr
file- The
.key
file is your private key and should be kept secure - The
.csr
file is what you will send to the CA to request your SSL certificate
- The
What text is inside the .csr
?
It resembles (see text fragment below):
-----BEGIN CERTIFICATE REQUEST-----
MIIDKzCCAhMCAQAwgYAxGTAXBgNVBAMMEHNpbmdsZWxvZ291dC5jb20xFTATBgNV
BAcMDFNlbGxlcnN2aWxsZTELMAkGA1UECAwCUEExDDAKBgNVBAoMA0lDUzEkMCIG
CSqGSIb3DQEJARYVaG93bGV5LnBoaWxAZ21haWwuY29tMQswCQYDVQQGEwJVUzCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKnE+ds4wQtBKQ/g1d0L550U
99p6zOQ7qMnR6a525Jc+4BIiWxI1YXGIC3rPMU5M9h+Z6SMBFj17T3flpXRPkOzw
lZpvKmwiYRjZhGqSAt/sGOtjmfb3m4FB7+isQKL6zSP3jGVR9ubEryK3MOC8IuKn
1d9IL+gkVwS94s67KOB0T5zIDjUmdFXb/zquBENQKyeSzR2mwZ5JwUSbTfmiw+sq
U/xZNnhyOH1KqLSCIsQVAbjOB8D4DttcXvOgHvl3Xn05AibQCa3W54+/D0O8B7nV
S0wziRk6mupfF/9o0nXyedHnbNNJUaHcZ3SM4YCaOqje/+XSvw81Xm/B8jh0bvsC
AwEAAaBlMGMGCSqGSIb3DQEJDjFWMFQwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBsGA1UdEQQUMBKCEHNpbmds
ZWxvZ291dC5jb20wDQYJKoZIhvcNAQELBQADggEBAEZOBygGekGn13FG0ygN593L
cbOHhFCye/nbyJnZkfYlwpNoHzr8UoYSa3ulWvRZvvVSi5Zly3kGB1Ryl7GgcW67
5MzunxifmY3TUsKPb/DvYJkHg79YTiYiJPhIV+2e1GHpjDCDhhf1smQAgptweC0N
ABmIoVoQ0IhklrAIDY+dHtiM0Q6wcEi/QX3TaMn7HOlgaQntLloLhhlh6Zsi5udk
v40AYQ/V72l/OknKpoqOM8LLBiAYRg9D7V+jXQZ0kJNZ/Ho3rncxpPNjYXLj8BHl
WlTpCdTmnH1o1ii1n+1DjM6ZxM0P06qzsBdWCIRucemRF3lTrv58bbu+Gep+7Fw=
-----END CERTIFICATE REQUEST-----
Copying to .csr to your machine clipboard is a bit tricky
When you copy it, you start with the -----BEGIN CERTIFICATE REQUEST-----
and end with the -----END CERTIFICATE REQUEST-----
- But there is a slight problem when you generate this file you want to copy it to the clipboard - you can not!
- This is a problem because you need to paste the .csr text onto a Namecheap page
- To copy the .csr text, I use the following command (note I am on macOS)
How to move a file from DO to your local machine
- note - If you are logged into DO, close your connect with
$ exit
and type:
$ scp -r root@1.2.3.4:singlelogout.csr /Users/me/Desktop/
- Some notes on the above command:
- This
scp
command will move the generated.csr
from the remote DO server to my local machine - SCP (secure copy) is a command-line utility that allows you to copy files and directories between two locations securely
- Replace
1.2.3.4
(above) with your IP address on DO - Replace
/User/me/Desktop
with the location on your machine you want to move thesinglelogout.csr
to- Once you run the command and
singlelogout.csr
is on your local machine, open the file with your text editor or thecat
command $ cat singlelogout
(make sure you are in the directory where you moved the file since I moved it to my Desktop, I was in my Desktop when I ran$ cat singlelogout
)- Copy the .csr text from
singlelogout.csr
and paste it into the spot in the Namecheap UI where it asks you to
- Once you run the command and
- This
If you do this successfully, you will get a success message
You have three choices for the validation method
- email-based (receive an email to a specific domain-related address)
- DNS-based (create a CNAME record)
- HTTP-based (upload a validation file)
Since I am using DO, I chose DNS-based
- Namecheap will give you a host and target, and it will look like this:
Host: _F0C4C289C7C242E4D4709050C2D4A5B3
Target: C32E19A387906A99D9C53D1FE1593AC3.C4C8F54EA8907D4AF9A6217EF5B12128.comodoca.com
How to enter this CNAME in your DO DNS:
- Log into DO
- Select your Domain to manage
- Click CNAME
screenshot of digital ocean DNS CNAME
What is a CNAME?
How to test a CNAME?
- This is a great tool to test your DNS and CNAME
- Another Great tool is Google Admin Toolbox
Troubleshooting CNAME
- You may have to wait up to 48 hours for a CNAME to take effect and be publicly accessible, but I usually find the public CNAME after a few minutes
- To see if the CNAME is working using
mxtoolbox
and choose CNAME from the dropdown and search for the Host name- I erroneously was searching for the domain name, and this would always result in a CNAME not found
example of found CNAME when using the Google Admin Toolbox
How do I get my SSL certificate?
If you generate your CSR and the CNAME correctly, you are issued the certificate via email.
Attached to this email, you should find a .zip
file containing:
- Your PositiveSSL Certificate - singlelogout_com.crt
- Your Apache "bundle" file - singlelogout_com.ca-bundle
You will also find your PositiveSSL Certificate for your domain in text format at the bottom of the email.
- note You can also download the certificate in your Namecheap account > 'SSL Certificates' section > 'Download' button near your issued certificate
To help reduce domain name mismatch warnings, Namecheap also included the domain name www.singlelogout.com in your certificate.
Trust logo
- You will also receive a Trust logo in an email that you can add to your site
- The first email you receive will be the validated SSL cert
How to enable the HTTPS connection to your website
- You will need to install the certificate on your hosting server and set up an HTTP to HTTPS redirect
- The certificate installation manuals for various server types Namecheap Knowledgebase
Conclusion
As you can see, setting up an SSL Certificate is slightly complicated. Hopefully, this blog post will save you some time and help clear up some of the confusion and complexity and that the resources and tools I shared make adding SSL a half-hour project instead of a weekend ordeal.