What is an SSL Certificate?
SSL Certificates are small data files that digitally bind a cryptographic key to an organization's details. When installed on a web server, it activates the padlock and the HTTPS protocol and allows secure connections from a web server to a browser. You used to see a green padlock icon before the browser search bar, but as of August 2020, most browsers no longer display it.
You can also get SSL for free!
You can get a free SSL using Let's Encrypt. Most developers use this as it is free, but you need to reset it often, and I was in a timecrunch and didn't want to have to every three months. (Let's Encrypt certificates are valid for 90 days. There is no way to adjust this; there are no exceptions. They recommend automatically renewing your certificates every 60 days. So the process can be automated).
Fast and easy SSL (but not free)
ICS has a Proof Of Concept(POC) project using SLO (Single Log Out) with Okta that will need an SSL certificate. So I wanted to find a fast, inexpensive way to get an SSL and add it to my Digital Ocean (DO) Ubuntu server.
So to save time, I bought an SSL Certificate. Since I use Namecheap to buy domains, I used them to pay for their cheapest SSL called PositiveSSL, which was $5.99/yr - https://www.namecheap.com/security/ssl-certificates/ (as of 6/28/2021)
I bought the domain singlelogout.com (can you believe that domain was still available?)
Here are the instructions to point the domain to DO - https://www.namecheap.com/support/knowledgebase/article.aspx/10375/2208/how-do-i-link-a-domain-to-my-digitalocean-account/
You need to point the droplet to the domain, and the following instructions walk you through those steps - https://kaloraat.com/articles/add-domain-to-digital-ocean-droplet
I used the basic Ubuntu box (1GB Memory, 25 GB Disk) to set it up. I am using SSH to log into the root with a password. best practice you should not use root but create a different user
- I have a DO droplet (server)
- My domain points to the DO droplet
- I can log into the root of my droplet using
$ email@example.com then entering my root password (make sure you put this password in a safe place because you will use it often)
But how do I add the SSL Certificate I bought on Namecheap to this DO Droplet?
I just bought a certificate for a single domain, and I am using the level of validation that is a
Generating the CSR and Private Key
note You need to be logged into the DO droplet to do this.
Since I am using an Nginx as my webserver, I will use
To generate a private key, called
example.com.key, and a CSR, called
example.com.csr, run this command (replace the
example.com with the name of your domain):
$ openssl req -newkey rsa:2048 -nodes -keyout singlelogout.com.key -out singlelogout.csr
- At this point, you are prompted for several lines of information that are added to your certificate request
- note The most important part is the
Common Namefield which should match the name that you want to use your certificate with
I found the Common Name confusing
Common Name, I erroneously entered
https://singlelogout.com and this caused an error when I pasted the generated
.csr file into Namecheap. To avoid this error use the domain name for Common Name
singlelogout.com (why they call it a Common Name instead of a domain name beats me)
Here is a sample of the questions with my answers:
Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Los Angeles Locality Name (eg, city) :Los Angeles Organization Name (eg, company) [Internet Widgits Pty Ltd]: ICS Organizational Unit Name (eg, section) : Common Name (e.g., server FQDN or YOUR name) :singlelogout.com Email Address :firstname.lastname@example.org
note It also asks you for a password, but in my research, the password is deprecated - so I left password blank (press enter to accept null default value)
note This will generate a
.keyfile is your private key and should be kept secure
.csrfile is what you will send to the CA to request your SSL certificate
What text is inside the
It resembles (see text fragment below):
-----BEGIN CERTIFICATE REQUEST----- MIIDKzCCAhMCAQAwgYAxGTAXBgNVBAMMEHNpbmdsZWxvZ291dC5jb20xFTATBgNV BAcMDFNlbGxlcnN2aWxsZTELMAkGA1UECAwCUEExDDAKBgNVBAoMA0lDUzEkMCIG CSqGSIb3DQEJARYVaG93bGV5LnBoaWxAZ21haWwuY29tMQswCQYDVQQGEwJVUzCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKnE+ds4wQtBKQ/g1d0L550U 99p6zOQ7qMnR6a525Jc+4BIiWxI1YXGIC3rPMU5M9h+Z6SMBFj17T3flpXRPkOzw lZpvKmwiYRjZhGqSAt/sGOtjmfb3m4FB7+isQKL6zSP3jGVR9ubEryK3MOC8IuKn 1d9IL+gkVwS94s67KOB0T5zIDjUmdFXb/zquBENQKyeSzR2mwZ5JwUSbTfmiw+sq U/xZNnhyOH1KqLSCIsQVAbjOB8D4DttcXvOgHvl3Xn05AibQCa3W54+/D0O8B7nV S0wziRk6mupfF/9o0nXyedHnbNNJUaHcZ3SM4YCaOqje/+XSvw81Xm/B8jh0bvsC AwEAAaBlMGMGCSqGSIb3DQEJDjFWMFQwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAw HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBsGA1UdEQQUMBKCEHNpbmds ZWxvZ291dC5jb20wDQYJKoZIhvcNAQELBQADggEBAEZOBygGekGn13FG0ygN593L cbOHhFCye/nbyJnZkfYlwpNoHzr8UoYSa3ulWvRZvvVSi5Zly3kGB1Ryl7GgcW67 5MzunxifmY3TUsKPb/DvYJkHg79YTiYiJPhIV+2e1GHpjDCDhhf1smQAgptweC0N ABmIoVoQ0IhklrAIDY+dHtiM0Q6wcEi/QX3TaMn7HOlgaQntLloLhhlh6Zsi5udk v40AYQ/V72l/OknKpoqOM8LLBiAYRg9D7V+jXQZ0kJNZ/Ho3rncxpPNjYXLj8BHl WlTpCdTmnH1o1ii1n+1DjM6ZxM0P06qzsBdWCIRucemRF3lTrv58bbu+Gep+7Fw= -----END CERTIFICATE REQUEST-----
Copying to .csr to your machine clipboard is a bit tricky
When you copy it, you start with the
-----BEGIN CERTIFICATE REQUEST----- and end with the
-----END CERTIFICATE REQUEST-----
- But there is a slight problem when you generate this file you want to copy it to the clipboard - you can not!
- This is a problem because you need to paste the .csr text onto a Namecheap page
- To copy the .csr text, I use the following command (note I am on macOS)
How to move a file from DO to your local machine
- note - If you are logged into DO, close your connect with
$ exitand type:
$ scp -r email@example.com:singlelogout.csr /Users/me/Desktop/
Some notes on the above command:
scpcommand will move the generated
.csrfrom the remote DO server to my local machine
- SCP (secure copy) is a command-line utility that allows you to copy files and directories between two locations securely
18.104.22.168(above) with your IP address on DO
/User/me/Desktopwith the location on your machine you want to move the
- Once you run the command and
singlelogout.csris on your local machine, open the file with your text editor or the
$ cat singlelogout(make sure you are in the directory where you moved the file since I moved it to my Desktop, I was in my Desktop when I ran
$ cat singlelogout)
- Copy the .csr text from
singlelogout.csrand paste it into the spot in the Namecheap UI where it asks you to
- Once you run the command and
If you do this successfully, you will get a success message
You have three choices for the validation method
- email-based (receive an email to a specific domain-related address)
- DNS-based (create a CNAME record)
- HTTP-based (upload a validation file)
Since I am using DO, I chose DNS-based
- Namecheap will give you a host and target, and it will look like this:
Host: _F0C4C289C7C242E4D4709050C2D4A5B3 Target: C32E19A387906A99D9C53D1FE1593AC3.C4C8F54EA8907D4AF9A6217EF5B12128.comodoca.com
How to enter this CNAME in your DO DNS:
- Log into DO
- Select your Domain to manage
- Click CNAME
What is a CNAME?
How to test a CNAME?
This is a great tool to test your DNS and CNAME
- Another Great tool is Google Admin Toolbox
- You may have to wait up to 48 hours for a CNAME to take effect and be publicly accessible, but I usually find the public CNAME after a few minutes
To see if the CNAME is working using
mxtoolboxand choose CNAME from the dropdown and search for the Host name
- I erroneously was searching for the domain name, and this would always result in a CNAME not found
How do I get my SSL certificate?
If you generate your CSR and the CNAME correctly, you are issued the certificate via email.
Attached to this email, you should find a
.zip file containing:
- Your PositiveSSL Certificate - singlelogout_com.crt
- Your Apache "bundle" file - singlelogout_com.ca-bundle
You will also find your PositiveSSL Certificate for your domain in text format at the bottom of the email.
- note You can also download the certificate in your Namecheap account > 'SSL Certificates' section > 'Download' button near your issued certificate
To help reduce domain name mismatch warnings, Namecheap also included the domain name www.singlelogout.com in your certificate.
You will also receive a Trust logo in an email that you can add to your site
- The first email you receive will be the validated SSL cert
How to enable the HTTPS connection to your website
- You will need to install the certificate on your hosting server and set up an HTTP to HTTPS redirect
- The certificate installation manuals for various server types Namecheap Knowledgebase
As you can see, setting up an SSL Certificate is slightly complicated. Hopefully, this blog post will save you some time and help clear up some of the confusion and complexity and that the resources and tools I shared make adding SSL a half-hour project instead of a weekend ordeal.