How to install SSL certificate on a VPS in a right way
11:48, 05.01.2022
What you need to install an SSL certificate
It is important to note that the procedure of generating and installing a certificate to the server may vary for different operating systems and web servers. Our instruction is first of all applicable to users of Apache web-server, because it is the most widespread and popular.
The first thing you need to do is to generate a CSR for the domain. By default Apache has an OpenSSL utility - this is what we need. Enter the command:
openssl req -newkey rsa:2048 -nodes -keyout domain.com.key -out domain.com.csr
Only instead of "domain.com" enter your domain name. Next, you will be required to enter data for the signature request: it is displayed in the certificate. Just in case, check the CSR for correctness with the command:
openssl req -noout -text -in domain.com.csr
If your request is formulated correctly, you will get a text that looks something like this:
Certificate Request: Data: Version: 0 (0x0) Subject: C=ru, ST=ddd, L=fff, O=ddd, OU=ss, CN=domain.com Subject Public Key Info Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): […]
The consequence of all this work will be two new files - a request for a certificate domain.com.csr and a secret key domain.com.key. When you pay for the certificate through My Services, you can proceed directly to install it. You can do this in several ways.
Installing an SSL Certificate through ISPmanager
In the ISPmanager control panel, first, go to the Users section and provide the user that owns the domain with the SSL capability. Then you will need to log in and go to the corresponding section with the SSL certificates and click on "Add Certificate".
In the "Certificate type" menu, select "Existing". Here you need to fill in five key fields:
- Certificate name - domain name for which SSL is issued.
- Key - encrypted private (RSA) key data which is automatically generated along with the CSR request and starts with the tag ---BEGIN PRIVATE KEY---. The CSR-RSA keyring can be found in the mail unless you have disabled this option.
- Certificate - the contents of the certificate, which is stored in the archive and has the extension .crt. You can open it with a notepad.
- Password - it must be specified if it is necessary to add an SSL certificate with an encrypted key.
- Certificate chain - contents of SSL certificates chain file in PEM-format. As a rule, the CA sends an archive containing two files - the certificate itself and the certificate chain with the .ca-bundle extension.
Once you add a certificate, you can enable it for the site. To do this, visit the WWW domains item, select the appropriate domain and activate the enhanced SSL security option by selecting the appropriate certificate. This simple way to do everything in the ISPmanager control panel, but there is also the possibility of manual installation on Apache and Nginx. We will tell you about them another time.
Installing Let's Encrypt
Let's Encrypt - Organization Validation (OV SSL). This certificate authority is able to confirm domain ownership through a special software - the ACME protocol. The beauty of Let's Encrypt is that you can use its services to bind SSL to your VPS site for free, while most other organizations charge a fee for this. But there are nuances:
- Let's Encrypt certificate validity period is 90 days, while paid certificates are usually active from one to two years. In general, this is not such a disadvantage, because this project provides for the possibility of automatic renewal.
- Let's Encrypt does not work on some platforms. According to current data, this list includes Blackberry < v10.3.3, Android < v2.3.6, Windows XP (up to SP3) and a number of other platforms the complete list of which you can find on the official website. Yes, these are outdated platforms, and for many companies, they have long lost all relevance, but there are exceptions.
- The organization issues only certificates with basic domain ownership verification. Company validation is a feature of paid certificates. Thus, having an SSL certificate from Let's Encrypt does not guarantee that the site is not fraudulent, because the organization does not verify the owner's registration as a legal or physical person.
Therefore, this certificate will not work for large companies and enterprises, and it is much more reliable to use the variant with a paid SSL. If even a basic domain verification is enough for your purposes, you can proceed with the installation. Let's consider the sequence of operations on the example of the cPanel:
- In the Security section, find the Let's Encrypt SSL item.
- From the list of available domains, select the one for which you want to issue a certificate.
- In the "Installing certificate to: domain_name" box select several subdomains that need protection by a Let's Encrypt certificate.
- In the "Please choose an SSL validation method" box, select the validation method and then click "Issue".
After that, all that remains is to run the installation procedure, which usually lasts no more than 20-30 seconds. When the procedure is complete, you will receive appropriate notification. Go back to the main page: here you can find information about the domains for which the certificate was installed, as well as the validity period. If necessary, you can remove the SSL certificate or reinstall it.
Why order an SSL certificate from the HostZealot hosting panel
When you rent a VPS from HostZealot, you can choose any convenient control panel which will allow you to install your SSL certificate in a couple of clicks. You will be able to go through the Domain Validation (DV SSL) procedure both manually and automatically. Contact us at the telephone numbers indicated on the website to get more information on the issues of interest to you or via LiveChat. Our specialists will always offer any assistance regarding service conditions and working with dedicated servers.