How to get a https certificate for your website.

It is common that your web site need a ssl certificate to ensure the https secure. There are some free cert creation and suppliers there. Here I am going to use SSLS.COM – a budget supplier as example supplier to list  the steps that to get a cert for your web site

1. First, create a Java keystore contains your 2048 bit private key, assign a validate years:

sudo keytool -genkey -alias mycert -keystore keystore.jks -storepass mypass -keyalg RSA -keysize 2048 -keypass mypass -validity 3650 -dname "cn=wayneshare.com,OU=Dept Name,O=Wayne Share LLC,L=Palo Alto,ST=CA,C=US"

also save as a PKCS key format.

sudo keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -deststoretype pkcs12
keytool -list -v -keystore keystore.jks -storepass mypass
keytool -list -v -keystore keystore.p12 -storetype PKCS12 -storepass mypass

2. Create a CSR by private key, To create your CSR, run the following command:

sudo keytool -certreq -keyalg RSA -alias waynecert -file certreq.csr -keystore keystore.jks

3. I use the ssls.com to create our SSL cert. make an order there.

4. active the ssl cert there by our CSR content at the SSLS.COM

4.1 paste the CSR content to active step of ssls.com

less certreq.csr

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDEjCCAfoCAQAwgZwxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UE
BxMJUGFsbyBBbHRvMTswOQYDVQQKEzJCb3NjaCBSZXNlYXJjaCBhbmQgVGVjaG5v
bG9neSBDZW50ZXIgTm9ydGggQW1lcmljYTEUMBIGA1UECxMLQ1IvUlRDLUhNSTMx
GTAXBgNVBAMTEGljbG91ZC1yYWRpby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCAJnRWYm48FVmqVDBAf4+UWW9k2uI0oOMC9yazAgGQecH8lKwH
GwJO0cHWAnBT86d7chdmr2susfwQ47vDcfmHU8q2Rwk3xADYSHxob5GYnTSewHUI
YFTUOx/G7a/w/jrjLZlR5ZP8TBHoM+4+5aYHrbL/ctFX4xgOW57T7JNwtlhlfkxI
a5xRjpL721SE1ribDZKdsZOjO9Y7x/SKvdH3ljKINM8HO6u60uTyVJFuJkgd81lt
Pk6u1V9MizieLek5GSNPyapiqAGndRCkpEHdB3CKG7zolhoCryQ/oLxEwETTgSSO
ddPLyD8NY/dulzPiGsMJ5aWScV2zuPHRwuLNAgMBAAGgMDAuBgkqhkiG9w0BCQ4x
ITAfMB0GA1UdDgQWBBS0lua3qgUb5oqcxcXDQbNaUGu33jANBgkqhkiG9w0BAQsF
AAOCAQEAcfJF73FUhiIF+ZMQud/D8mmKOy5tIGjWNWQacNl4bmPeCDmpoNCMRu25
8R3hYAY6jDvamPz2JZ6iLS857R7wdnSiC5bAo0jnQ3AMODxqJp49Em5qJzpzZ2NC
X/Aooom62nQU0QzfuBENRaeTChlcTylvh4daGYJUseXyCvt/mE0tdgHnh8ynAg8P
w+mBkedHbinkxGYgbplFyDML3bm16EvvAFDZNR1499YbbpCmLV8uXp6RhwPBkb8x
KSizazvez2SNi9vEMqkmNI65Z5P4KS/p1lUd+GAS+EdUwt97hZtFIVCn/p7C6SPf
1cQNPghutNf8ULIpjh1pdY99OnpIjA==
-----END NEW CERTIFICATE REQUEST-----

4.2 input myself info for contact:

Administrative wayne zhou
contact waynzhou@wayneshare.com
3888 Miranda Place
Palo Alto, CA, 94304
United States

4.3 So, to confirm you have the domain, SSLS.COM has two ways at here:
one is use a email under your domain account, like the admin@wayneshare.com. another one is need to access your website server, such as apache/nginx to put a verification file over there for comodoca (root CA) to verify your site under your control.

Download a file from ssls.com for cert verification, you get this msg first:
“You’re almost done. Upload file to /.well-known/pki-validation/ public directory of wayneshare.com. Do not rename the file or edit its contents. If you’re not sure what to do, please contact support.”

File name we got is: F26FF4AD68EEB3785D28B5420663D6A5.txt
File Content just One line: 591E88059BC38F2F09DC9C426E83C607F7414728CFDAD1D1F4711A4658904C1F comodoca.com 5a1ca2e34e5ee

5. Put F26FF4AD68EEB3785D28B5420663D6A5.txt to my nginx server:
As I use nginx as the reverse proxy, so I need to install the https at nginx side, not at the tomcat side.
So this step is to put the challenge onto the nginx server to prove you are the owner of the website wayneshare.com

Add this line and restart the nginx
location = /.well-known/pki-validation/F26FF4AD68EEB3785D28B5420663D6A5.txt {
alias /home/www/.well-known/pki-validation/F26FF4AD68EEB3785D28B5420663D6A5.txt;
}

After I put the file under the /home/www folder, this link should work:

http://wayneshare.com/.well-known/pki-validation/F26FF4AD68EEB3785D28B5420663D6A5.txt

then you can contact the support of the SSLS.COM and soon you will get email about the cert file. Just save the cert for your site to use it.

6. import the signed cert into the keystore file for web server usage.
sudo keytool -certreq -keyalg RSA -alias waynecert -file certreq.csr -keystore keystore.jks

 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Notes: related command for keytool

keytool –list

# export the private key

# export the cert
keytool -export -rfc -alias mycerts -file cert_1.crt

# import key from another key store

keytool -importkeystore -srckeystore ~/.keystore -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias mycerts -deststorepass mypass -destkeypass mypass

Export certificate using openssl:

openssl pkcs12 -in keystore.p12 -nokeys -out cert_1.pem

Export unencrypted private key:

openssl pkcs12 -in keystore.p12 -nodes -nocerts -out key_1.pem

Advertisements