So you run a website or services and at the moment they are accessible over HTTP (port 80). However you want a secure connection and a nice green padlock to be displayed in your web browser. In that case you need to create a HTTPS (port 443) connection which requires the webpage/service and the user to communicate over a encrypted connection using secure protocols such as SSL (Secure Sockets Layer) or TLS (Transport Layer Security).
Normally you would have to pay a fee to get a certificate and pay a yearly fee. However Let's Encrypt are dishing out free certificates with the only catch being they are valid for 90 days. The cert will need to be renewed every 90 days. I tend to renew with at least 15-20 days left before expiry just incase I have any issues with the new cert and it gives me time to install and test it.
- Having your own Domain Name. My example *.mysite.com
- Access to your Domain Registrars DNS settings
Step 1 - Generate the cert.
Head over to ZeroSSL and click on Online Tools and free SSL Certificate Wizard Enter the details it asks for. In the Domain box enter all the domains and subdomains you require the certificate to cover separated by a space. Example:-
- mysite.com blog.mysite.com test.mysite.com
Accept both the TOS and SA and change the verification from HTTP to DNS.
Click next and it will generate a CSR key. Copy the CSR and save it as you will need this when it comes time to renew.
Click next again and it will generate an account key (RSA PRIVATE KEY). Again Copy and save the private key, we will need it to renew.
We should now see the Verification screen like below.
Step 2 - DNS Verification.
For this step we need to prove to ZeroSSL that we own the domain name we are trying to create the cert for.
Head over to your domain registrar. For this example I will user namecheap.com
Login and head over to DNS or Advanced DNS. We need to create a TXT Record for each of our domains and subdomains. Like in the example below. Set TTL (Time to Live) to 1min or the lowest setting.
IMPORTANT - We should now leave it 15mins to allow the TXT Records we created above to propagate through the internet. If you click 'Next' on the ZeroSSL page too soon then it will fail to find the TXT Records. To test to see whether the Records have updated you can run a command prompt on your PC and type
nslookup -q=TXT _acme-challenge.blog.mysite.com
It should reply with the TXT Record Value. If it replies with:-
can't find _acme-challenge.blog.mysite.com: Non-existent domain
Then you have to wait longer.
Eventually you can click 'Next' and it should take you to your Certificates.
They are available to download on the right or you can copy and paste the keys.
The Certificate includes 2 parts, you can see this from the 2 sections
-----BEGIN CERTIFICATE----- Your Domain Certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Your Certificate Authority -----END CERTIFICATE-----
The first part is your Certificate for the domain/subdomain you listed The second Part is the Issuing Authorities Certificate or CA Root you listed. You can either keep these together as 1 certificate (ca_bundle.crt) or split them into 2, (cert.crt) and (ca_root.crt).
Finally the second box is your Private key. Save this key as private.key
Congratulations you now have your own Certificate signed by Let's Encrypt.
Step 3 - Certificate Formats (Optional)
crt to pem
We currently have the certificates in a .crt format. To create a .pem file we need to include the cert.crt and ca_root.crt into one file. You can use notepad to do this. Copy both your cert and the ca_root into notepad like below.
----BEGIN CERTIFICATE----- Your Domain Certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Your Certificate Authority -----END CERTIFICATE-----
and then save the file as cert.pem. Simple as that!
crt to pfx Creating a .pfx certificate isnt as simple as a pem. A pfx file contains your cert, the CA root cert and your private.key into one file. It also usually contains a password to open/import and export.
If you have access to OpenSSL you can use the command below
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in cert.crt -certfile CA_root.crt
Another option is to use SSLShopper free online utility.
First of all change the 'Type To Convert To' to PFX/PKCS#12
Certificate to convert = your domain cert.crt Private Key file = your private.key Chain Certification File (optional) = your ca_root.crt PFX = create a strong password and remember it!
Click 'Convert' and you should then get the new .pfx file automatically downloaded.
Congratulations you know how a Trusted Certificate. Have a look through my sites for other guides and how you can use a certificate. Dont forget you need to renew it as it will expire after 90 days.