While there are other options like Let’s Encrypt, purchasing a certificate can be the simplest way to get an SSL certificate for a site. Even though it’s simple, there are a fair of number steps in the process.

There are three important steps to purchasing a certificate. Before we start those steps, we need to first purchase the certificate. Strangely enough, paying for the cert is the quickest part of the process. Our Request Metrics wildcard certificate is a RapidSSL cert purchased from The SSL Store. The important work begins after payment is complete.

Step 1: Certificate Signing Request

The process begins with submitting a Certificate Signing Request(CSR for short). The CSR consists of two parts, the creation and submission of a CSR certificate.

Create the CSR Certificate

The CSR certificate is just a public/private key pair generated by you. This is done locally using Git Bash on Windows or any Linux-like console:

  1. Create the Certificate From the CLI, run and respond to information prompts:
openssl req -new -newkey rsa:2048 -nodes -keyout sslcert.key -out sslcert.csr
  1. Important! When prompted for “Common Name”, enter your domain (eg -*.mydomain.com).
  2. The CSR is Created! The CSR consists of two files:
    • sslcert.key The private key for the SSL certificate.
    • sslcert.csr The public key aka the Certificate Signing Request. This key is submitted in the next step.

Submit the CSR Request

Now that the CSR is generated it can be submitted to the Certificate Authority. We are using The SSL Store:

  1. Select DNS Based Authentication This requires access to the domain’s DNS provider.
  2. Input the CSR Copy the contents of sslcert.csr into the “Input CSR” text box.
  3. Submit the CSR Click “Continue” to submit the request

Step 2: Validate the Domain

The CSR has been submitted, but ownership of the domain still needs to be verified. We use DNS verification:

  1. Create TXT Record Create a new TXT record using your DNS management console. The record should be on the domain root:
    • Host is usually @ for root
    • Value is the “Alias Name” provided by the certificate authority and should look like p4pn7ghfv2y...
  2. Wait… It can take 30 minutes or longer for the Certificate Provider to verify the new TXT record.
  3. Check Email The new certificate will be emailed to you after the domain is validated.

Step 3: Create PEM File

The SSL certificate has been created! In the last step, we need to build a public key from the SSL certificate:

  1. Create sslcert.pem Create a new file named sslcert.pem in the editor of your choice.
  2. Insert Certificates Copy the emailed SSL certificate and intermediate certificate into the file. The file should look like:
-----BEGIN CERTIFICATE-----
MIIFyDCCBLCgAwIBAgIQBQooVkA42EVSKRw7JG9CYDANBgkqhkiG9w0BAQsFADBe
... SSL Certificate ...
jdDjRMT2puVyDzMH8k5H1gGqCFUY2jvOr0B99QDKNpWR3oapNRaPdC1cvO4=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEsTCCA5mgAwIBAgIQCKWiRs1LXIyD1wK0u6tTSTANBgkqhkiG9w0BAQsFADBh
... Intermediate CA Certificate ...
TVyMnGo=
-----END CERTIFICATE-----
sslcert.pem

We have an SSL Certificate!

The certificate can now be deployed to your servers. The two files needed are:

  • sslcert.key The private key for the SSL certificate.
  • sslcert.pem The public key for the SSL certificate.

What is a PEM file?

The SSL certificate we created consists of three files. What are these files anyway? An exhaustive answer can be found in this StackExchange answer, but here’s the TLDR on PEM:

  • PEM is confusing because it refers to a file format and file extension.
  • The PEM format is a standard for storing keys.
  • All three files that were created(sslcert.csr, sslcert.key, sslcert.pem) are in PEM format.
  • The .pem extension by convention contains the public key. Watch out, this is just a convention. The file may contain a private key!
  • The .key extension by convention contains a private key.
  • The .csr extension by convention contains a public key used for a CSR.

Now the grumpy men at Request Metrics are somewhat less grumpy. We have our wildcard SSL certificate and are ready to get our security on. Next, we’ll use Ansible to configure NGINX SSL support with the new certificate.