You’ve decided to install a certificate on your Apache or Nginx server — a great choice! Let’s break down the steps to make it happen:

1. Generate a CSR (Certificate Signing Request) and private key code pair on the server.
2. Apply the generated CSR code to activate the purchased certificate on your SSL certificate provider’s side.
3. Validate the certificate on the Certificate Authority (CA) or certificate provider’s side (depending on the certificate type and your CA/provider).
4. Install the certificate on the server.

Additionally, there are several certificate types you should be aware of:

1. Domain Validation (DV) Certificates:
   • Most commonly used certificates that display only the domain name, validity period, and CA name.
   • Validation involves confirming ownership of the domain.
2. Organization Validation (OV) Certificates:
   • Slightly more complex than DV certificates, OV certificates include organization details in addition to the features of DV certificates.
   • Requires a legally registered company and a callback process with the Certificate Authority for issuance.
3. Extended Validation (EV) Certificates:
   • The most complex to obtain, EV certificates display a green bar before your domain name in the browser’s address bar.
   • Requires a legally registered organization and the submission of additional documents to the Certificate Authority.
   • Although challenging to obtain, the enhanced security features make them valuable for specific use cases.

Furthermore, SSL certificates can be categorized as follows:

1. Single-Domain Certificates:
   • Typically secure the main (bare) domain and its www subdomain (e.g., yourdomain.com and www.yourdomain.com).
   • Some Certificate Authorities support only one exact domain name, so activating a certificate for yourdomain.com may not secure the www subdomain.
   • You can also activate a certificate for a custom subdomain, such as sub.domain.yourdomain.com.
2. Multi-Domain Certificates (UCC – Unified Communications Certificate):
   • Can secure several different domain names, and depending on the Certificate Authority, may support up to 25 or 100 domains.
   • You can secure various domains, subdomains, and mix them as needed.
3. Wildcard Certificates:
   • Secure the domain name they were activated for and all one-level subdomains of that domain.
   • For example, if activated for *.yourdomain.com, it will secure yourdomain.com (the main domain) and all first-level subdomains like sub1.yourdomain.com, sub2.yourdomain.com, etc.
   • Note that wildcard certificates will not secure second-level subdomains like sub1.sub2.yourdomain.com; they are limited to one subdomain level.

While it may sound complicated, the process is not that difficult. Let’s start with the CSR. We recommend generating the certificate request on the server for security reasons, avoiding the use of online tools.

Connect to your VPS via SSH and navigate to your home directory with the following command:

cd ~

Next, generate the CSR and private key files using the following command:

openssl req -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr

Here, yourdomain.csr represents your CSR file, and yourdomain.key represents the private key file.

!!ATTENTION!! Do not delete the private key! It is required for installing the certificate on the server. Without this file, the certificate will not function. We strongly recommend saving it to a non-public directory on your server and creating a backup on your local machine.

After executing the command, you will be prompted with a few questions. Here are example answers:

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:New York
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Own Company
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:yourdomain.com
Email Address []:mail@yourdomain.com

Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []:

Let’s delve into the details of these questions. The address details specified in the certificate request will not be used for the certificate issuance (address for OV and EV certificates is asked separately). We recommend leaving the extra fields (password, optional company name) empty to avoid potential issues during the certificate activation process with some Certificate Authorities.

Regarding the common name of the certificate, use the exact fully qualified domain name you want to secure with the certificate. Do not use your full name or the name of your organization; only the domain name should be used.

In essence, the certificate request is an unsigned certificate file containing an open key. The private key file, surprisingly, contains the private key. Together, they work in tandem through an asymmetric encryption algorithm.

To view the CSR, you can use any text editor or the cat command. We recommend using nano or cat:

nano yourdomain.csr

or

cat yourdomain.csr

Simply select the entire code, including the headers “—–BEGIN CERTIFICATE REQUEST—–” and “—–END CERTIFICATE REQUEST—–,” and send it to your Certificate Authority (CA) or certificate provider to initiate the certificate activation process.

Small tip: press CTRL+X to close nano editor.

That completes the process of generating a CSR and a private key for your certificate activation. Once you have the certificate, follow the instructions to install it on Apache or Nginx web servers.

Keep it secure!