Overview

This article will walk you through generating an SSL Certificate Request and Private Key, and installing the certificate once it’s returned from your Certificate Authority.

Generating a Certificate Request and Private Key

If you already have an SSL certificate file and private key you can skip this step. In order to get an SSL certificate from a Certificate Authority (like GoDaddy or Verisign) you need to create a certificate request (csr file) and a private key (key file). Both of theses files can be automatically generated by running the command below.

The CSR file contains some basic information on your domain name and company location, and this file is submitted to the Certificate Authority when purchasing your certificate.

The Key file contains the private key for this new SSL certificate and should be stored in a secure location, and not shared with anyone. It should not be sent to the certificate authority when requesting the cert.

Required Information

Your Certificate Request will require the following information:

CN - Common Name: The fully qualified domain name that clients will use to reach your server. To secure https://www.example.com, your common name must be www.example.com or **.example.com for a wildcard certificate.

O - Organization Name: The exact legal name of your organization. Example: “SpreeCommerce, Inc.” If you do not have a legal registered organization name, you should enter your own full name here.

OU - Department : Many people leave this field blank. This is the department within your organization which you want to appear in the certificate. It will be listed in the certificate’s subject as Organizational Unit, or “ou.” Example: Web Administration, Web Security, Marketing

L - Location / City: The city where your organization is legally located.

ST- State or Province: The state or province where your organization is legally located.

C - Country: The county where your organization is legally located.

Key Size: 2048 is considered the minimum value.

Creating the Certificate Request & Private Key

You must have the OpenSSL library installed to execute this command, all Spree Hosting servers have this command available so it’s best to run the command directly on your server.

This example command below is for illustration purposes only, you must substitute your information in the relevant locations. There are some tools available that will generate the proper openssl command for you (this one, for example).

$ openssl req -new -newkey rsa:2048 -nodes -out www_example_com.csr
  -keyout www_example_com.key -subj "/C=US/ST=MD/L=Chevy
  Chase/O=SpreeCommerce, Inc /OU= /CN=www.example.com"

Be sure to change the -out and -keyout values to match your domain name, while preserving the correct extensions.

Once the command is executed you will have two new files created within the current directory:

www_example_com.csr - This is the Certificate Request, this must be submitted to the Certificate Authority when purchasing your certificate.

www_example_com.key - This is your Private Key and must be kept securely until the certificate is delivered to you by the Certificate Authority.

Installing the Certificate

When you receive your certificate from the Certificate Authority it is generally called example.com.crt and maybe bundled with other Chain CRT files. If you received multiple CRT files from your Certificate Authority please refer to the installation instructions provided by them for more details on installation, generally you just need to create one new CRT file and combine the contents of all CRT files provided.

Now that you have one single CRT file you are ready to install it on your server:

Copy the CRT file onto the server and save it to /etc/ssl/spree.crt directory.

Move the private key (KEY file) to the /etc/ssl/spree.key directory.

Execute the following command to have Puppet automatically install and restart your webserver:

$ FACTER_db_pass=YOUR_DB_PASSWORD sudo puppet agent —test

It’s important that the file names and locations match exactly those listed above otherwise Puppet will not be able to locate them.