...
SSLShopper provides a great overview of the different types of SSL certificates available with various pros and cons. If you are still unsure, try using the SSL Shopper Wizard to guide you to the right type of certificate with a list of possible CAs.
Select CA
Specifically for Ubuntu, we perform the additional pre-check to ensure that the candidate CA's public certificates are part of the Ubuntu Certificate Repository.
Note |
---|
This is not a requirement. You can manually add the CA certificates or import to the Ubuntu Certificate Repository. However, it is highly recommended to let the Operating System do the work of managing the CA certificates. |
Sample Selection
In this example, after running we chose from the SSL Shopper Wizard the first CA of interest is StartCom which has a "free as in beer" SSL certificate package called StartSSL Free.
Check CA Keys Against OS Certificate Repository
This is not a requirements but will make future maintenance easier if the CA Keys are managed and updated by the Operating System. If you do import the these certs yourself manually, they will not be managed by Ubuntu and will eventually expire where as if the OS manages the certs, the OS will renew them.
To determine if StartCom is part of the Ubuntu Certificate Repository,
Code Block |
---|
cd /etc/ssl/certs
ls | grep -i start # perform case insensitive search for the keyword "start" |
The result,
Code Block | ||
---|---|---|
| ||
StartCom_Certification_Authority.pem
StartCom_Ltd..pem
StartSSL_Sub_Class1_CA.pem |
Info |
---|
StartSSL_Sub_Class1_CA.pem may not exist |
Most likely StartCom_Certification_Authority.pem is the highest level root CA certificate and the other two certificates are chain certificates.
Because naming convention and the number of certificates required differ from CA to CA you must do some reading and searching on the CA's website.
The key things to be searching for are,
- Download of the root CA certificate
- Determination if any chain certificates are required and where to download them
In this case I found the answers at StartCom How to Install Apache Server webpage which also indicates by their sample Apache configuration that,
- ca.pem is the root CA certificate
- sub.class1.server.ca.pem is the chain certificate
The next step is match up the certificates from StartCom against the Ubuntu Certificate Repository.
Code Block | ||
---|---|---|
| ||
cd ~
wget http://www.startssl.com/certs/ca.pem
diff ca.pem /etc/ssl/certs/StartCom_Certification_Authority.pem |
The diff command did not return any differences which means that the files match exactly. As such, StartCom_Certification_Authority.pem may be used.
Next continue on to see if the chain certificate already exists in the Ubuntu Certificate Repository.
Code Block |
---|
wget http://www.startssl.com/certs/sub.class1.server.ca.pem
diff sub.class1.server.ca.pem /etc/ssl/certs/StartCom_Ltd..pem
2,35c2,29
< MIIGNDCCBBygAwIBAgIBGDANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW
< MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg |
Returned differences.
Given there are no matches we need to manually install the Chain Certificate.
Warning |
---|
Need to write the instructions here. |
- I need to secure one domain name or network name
- I just need it to be secure with no warning messages
- Price range per year $0-$100
A simple SSL certificate is available for free from the CA StartCom in a SSL certificate package called StartSSL Free.
SSL Process
Generate Server Private Key
...
The CA will use your public key in the CSR to sign and return back your server certificate.
Warning |
---|
Provide a link sub-page to explain the CA signing process as an example. |
Download Signed Server Certificate
...
The text file should be saved with the domain name and the crt extension and is your public key signed by that CA. In this example, it will be earth.com_server.crt.
Warning |
---|
This next section should be expanded and moved out into Provide a sub-page to explain the CA signing process as an example. |
Download Chain Certificate
Almost all CAs require the server install a chain certificate.
You may download the chain certificate from your CA's website (you may need to search for it) or more conveniently download from SSLShopper's list of Chain Certificates and respective CA Installation Instructions.
Store Certificates
In Ubuntu, the default location for SSL certificates are,
...