Notes about installing SSL the long and hard way

Posted on by

Now GoDaddy offers experts to install your SSL for you and do audits etc. This means things are getting serious on the net and the news on the radio supports that.  But I thought, why is there so much difficulty in installing SSL? Well, it isn’t that difficult but there are a lot of things to know – that is likely what it is all about.

My challenge to myself is that if we generate a CSR on one computer (in this case unix) – how do we get it to a whole different platform (in this case windows IIS)? The process is not hard, it is the research to understand it all. Now I have it here for reference for future endeavours.

  • format an SSD card
  • unix $: openssl req -new -newkey rsa:2048 -nodes -keyout \path\to\ssd\card\mydomain.com.key \path\to\ssd\card\mydomain.csr
    • this makes a private key (.key file) and a certificate security request
  • go to GoDaddy – this is the first thing they ask for
  • when you get an email STAY ON THE COMPUTER WITH THE PRIVATE KEY as we need the private key to eventually be on the server need SSL served from
  • download the info in IIS format to the ssd card (that is a pulldown) and it gives you
    • certificate (.cer file) they give you  (lets call this godaddy.cer)
    • intermediate certificate (lets call this godaddy.p7b
    • but this zip file contains NO private key … and you need that private key
  • if you are bored – you can open up all these files – they are all text files. Look at the first row and you will see most of them are different from each other.
  • Next, from an ancient web article and a modern one – to easily import all the certificates into Windows IIS, windows requires an “import” of the downloaded files WITH the private key and Windows does this with a .pfx file. This pfx (a binary format) contains the intermediate and private keys once is is generated. You can do all this with openssl
    • first convert the p7b file into a certificate format that openssl can (same article) use
      •  openssl pkcs7 -print_certs
        -in \path\to\ssd\card\godaddy.p7b
        -out \path\to\ssd\card\godaddy.p7b.crt
    • openssl pkcs12
      -export
      -out \path\to\ssd\card\certificate.pfx
      -inkey \path\to\ssd\card\mydomain.com.key
      -in \path\to\sdd\card\godaddy.cer
      -certfile \path\to\ssd\card\godaddy.p7b.crt
  • Now you will see a .pfx file which is binary – so you can’t copy/paste it – it has to be a file transfer
    • upload it securely to your server and using the certificates mmc snap in – you IMPORT it.
    • THEN go to IIS’s root and “complete” the remaining certificate ensuring you do NOT click the “exportable” options
  • Copy your SSD to another one
  • Store them safely away