On Sat, 14 Jun 2008, Khalid Schofield wrote: > Hi, > I need to get a proper signed ssl certificate for my ecommerce website > hosted on my openbsd box. Getting confused as most websites describe > how to do this in many different ways and most refere to self signed > certificates. Wanted to ask the experts before I go and throw $100 at > the task.
First, I'd recommend that you spend a little time reading up on X.509 certificates and how they relate to public key cryptography. There are nasty consequences if you get things wrong that extend well past wasting $100 on a certificate you can't use. > So do I have to use pass phrases when generating the certificate? If > I use a pass phrase why? How does it effect the certificate and it's > use? Certificates don't have passphrases, private keys do. A key passphrase gives some measure of protection should the file containing your key fall into someone else's hands, e.g. by compromising your server. If you private key is disclosed, an attacker could impersonate your sever. > Also if I use a pass phrase do I have to tell apache about it? Does it > go in a config or do I have to enter it when reloading apache? Putting it in a configuration file would defeat the purpose, no? Yes, if you use a passphrase then you need to tell Apache about it every time it is reloaded. For this reason, many web servers do not set passphrases on their keys. > Also what command do you use to do this? Please tell all :) openssl req OpenSSL is complex and patchily documented, it assumes that its users are quite familiar with x.509 certificates and public key cryptography. There are some frontends that make things more simple, and some good guides on the net. Try typing "openssl certificate" into your favourite search engine for a few. > One last thing who would you recomend to sign my csr? Go for the cheapest certification authority that is supported by Firefox and Internet Explorer. Do not be fooled by any claims of "premium certification" as the overwhelming majority of users do not check the CA details. > Thanks sorry for the stupid questions but I've never done this before > and risked my actual money (only the companies). Like I said, risking $100 on a dud cert is the least of your worries. -d
