At work, we are required to SSL our web applications which in itself is not bad, there is only one little problem, these are windows applications.
Therefore, I propose a small change to all web application deployments on the internet: Use Linux, the Microsoft way is so convoluted and unnecessarily esoteric, nonstandard and brain dead, than I am more than happy to show the "right" way:
There are nowadays many ways to install a certificate, and many different setups, I'll use Apache on Linux, specifically CentOS, but it applies to any Linux flavor, really. In fact, I used this method to setup my SSL certificate locally on my Linux Mint box to test this very techfuel.net website. Here it goes:
Generate a Website key (KEY) and a Certificate request (CSR):
openssl req -nodes -newkey rsa:2048 -keyout www.techfuel.net.key -out www.techfuel.net.csr
The above will create two files:
[julio@techfuel-networks certificates]$ ls -la -rw-rw-r-- 1 julio julio 1054 May 1 05:00 www.techfuel.net.csr -rw-rw-r-- 1 julio julio 1704 May 1 05:00 www.techfuel.net.key [julio@techfuel-networks certificates]$
The key file will be used by Apache (or your web server) to encrypt and decrypt all the information that flows through your website and your user's browsers, this file is to be kept "protected" at all times; and the csr file is your "request" certificate file that will be used by the certificate authority to "validate" your information.
now, there are two ways to proceed now, the first method is to generate what is called a self-sighed certificate, this method has the advantage of not requiring anything else but just run another command on your server to generate it, the disadvantage is that the resulting certificate will fail all the web browser with a warning stating that the certificate is, ell, self signed, and it could be non-valid. You want to use self-signed certificates usually for testing purposes only. The second method is submitting your certificate request to a certificate authority for validation, usually they will verify that you are the owner of the website you want to get the certificate for, by emailing the account located in the domain's settings, so if you don't own the domain, most likely you won't be able to submit the certificate for validation.
SSL Certificates cost money, and range from about $9.00 to hundreds of dollars, for the purposes of this discussion, I'll go ahead and buy a "RapidSSL" which is a certificate that works for small to midsize websites (it is based on requests), and its price ranges from $9.00 to about $12.00.
After buying the certificate, typically you will receive it in an email, or a link to download it, at the end of the process, you will end up with three files: the CSR, the KEY and the CRT files. You can potentially remove the certificate request (CSR) at this time. Now we need to know where to put them in our filesystem. In Apache land, you place the files here:
[root@techfuel-networks certificates]# ls /etc/pki/tls/ cert.pem certs misc openssl.cnf private [root@techfuel-networks certificates]#
Put the KEY file in the private folder, and the CRT file in your certs folder and voila.
I've left out a couple of things here (where to buy SSL certs, restarting apache, creating a VirtualHost entry in the configuration file, etc.). Reply if interested :)