Managing SSL Certs

If you want to install a certificate on your web server or any other type of server you must first obtain one.

  • Determine where you need to install the cert. It is generally the load balancer, proxy or server that a URL points to and that URL is used as the Common Name. You can add more URLs or Subject Alternative Names to cover other instances and/or more URLs using one cert but that is beyond the scope of this piece.
  • Generate a CSR and private key
  • Submit CSR to a Certificate Authority (e.g. Digicert, Entrust, Let’s Encrypt).
  • Certificate Authority will provide a signed certificate and possibly an intermediary certificate.

DigiCert has a nice wizard that helps create the OpenSSL command(on Linux) for generating a CSR. It also has wizards/instructions for generating CSRs using other methods.

Converting a .crt to .pem and other conversions.

openssl x509 -in cert.crt -out cert.pem

Creating a .pfx using OpenSSL

openssl pkcs12 -export -in linux_cert+ca.pem -inkey privateky.key -out output.pfx

Creating a .pfx using OpenSSL with root and intermediate

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more.crt

Helpful links: