Sometime SSL certificate needed for a web site.

Some certificates you may get for free.

In the past StartCom provided free SSL certificates but recently their policy has changed and free certificates available for personal use only. StartCom has unnecessary complicated procedure for logging in to account so it was never convenient enough.

Fortunately I found another company - Comodo which makes free certificates for any kind of sites. Even though their free certificates valid for 90 days only they are still may be useful but only once because they do not renew free certificates.

One unique certificate authority worth mentioning - CAcert. They are really special - 100% free and non profit. Unfortunately most web browsers don't have their root certificate so free SSL certificate from CAcert behaves pretty much as self signed certificate. If you can, please donate to CAcert because by supporting them you help to establish perhaps future's most useful and open certificate authority.

So how to get a SSL certificate?

Step #1: Create a private key (KEY) and certificate signing request (CSR)

#Create a RSA key:
openssl genrsa -out myserver.key 2048
#or create a password-protected RSA key:
openssl genrsa -des3 -out myserver.key 2048

#Generate a certificate signing request (CSR)
openssl req -new -key myserver.key -out myserver.csr

You will be prompted to enter your domain name and other information. Common Name (CN) is a domain name of your site. If you're requesting a wild card certificate, enter domain name with asterisk () symbol i.e. .myserver.net - however, wildcard certificates may be costly or not available. Perhaps you might want certificate for myserver.net and for www.myserver.net

To make multi-domain Certificate Signing Request:

openssl req -new -key myserver.key -out myserver.csr -subj "/C=AU/ST=NSW/L=Sydney/O=MyCompany/CN=myserver.net/CN=www.myserver.net/emailAddress=myname@member.fsf.org"

or if you prefer interacive way,

# make an openSSL config file copy
cp /etc/ssl/openssl.conf myserver.openssl.conf

then edit myserver.openssl.conf and find string "commonName=" Below it add more lines like "0.commonName=Alt CN", "1.commonName=Alt CN" and so on, as many as you need.

#Generate a certificate signing request (CSR) using custom config file
openssl req -new -key myserver.key -out myserver.csr -config myserver.openssl.conf

If renewing certificate you can use existing CRT file to generate CSR:

openssl x509 -x509toreq -in myserver.crt -out myserver.csr -signkey myserver.key

Step #2: Submit certificate request (CSR) for signing.
On this step you will need to provide evidence of domain ownership. Before submitting it may be a good idea to check CSR file:

openssl asn1parse -in myserver.csr
#or
openssl req -noout -text -in myserver.csr

Alternatively you can sign it yourself (to get a self-signed certificate):

openssl x509 -req -days 365 -in myserver.csr -signkey myserver.key -out myserver.crt

Please note that printed subject line may be used for non-interactive CSR generation as above.

You can decode certificate (optional, just to name sure all required CNs are there):

openssl x509 -text -in myserver.crt

#or shorter output
openssl x509 -noout -in myserver.crt -issuer -subject -dates

Step #3: Prepare certificate

Your CA issued you with signed Web Server Certificate. Now it has to be prepared for installation to web server.

If during Step #1 you created password-protected key file you might need to make a passwordless key for web server, otherwise you will have to enter password every time you start web server. Probably you want web server to start in a non-interactive way:

openssl rsa -in myserver.key -out myserver.key.nopassw

Site's certificate should be bundled with intermediate certificates which CA may provide. Copy certificate file as myserver.pem and append all intermediate certificates to .pem file

cat myserver.crt ComodoUTNSGCCA.crt EssentialSSLCA_2.crt UTNAddTrustSGCCA.crt > myserver.pem

Resulting files may be used in nginx:

    ssl_certificate      myserver.pem;
    ssl_certificate_key  myserver.key.nopassw;
    

The end.