Linode Library Home
Linode Library RSS Feed
Home :: Security :: SSL Guides
Print View View Source

Obtaining a Commercial SSL Certificate

Published: by

Follow these instructions to get a commercial SSL certificate installed on your server. Please note that commercial SSL certificates require a unique IP address for each certificate. As SSL certificates may be used by many kinds of software, these instructions are generic in nature. If you're intending to use your SSL certificate on a website powered by Apache, you should follow our Apache SSL guides instead.


Install OpenSSL

Issue the following command to install required packages for OpenSSL, the open source SSL toolkit.

Debian/Ubuntu users:

apt-get update
apt-get upgrade
apt-get install openssl
mkdir /etc/ssl/localcerts

CentOS/Fedora users:

yum install openssl
mkdir /etc/ssl/localcerts

Create a Certificate Signing Request

Issue these commands to create a certificate signing request (CSR) for the site which you'd like to use with SSL. Be sure to change "" to reflect the fully qualified domain name ( of the site you'll be using SSL with. Leave the challenge password blank. We entered 365 for the days parameter to the command, as we would be paying for one year of SSL certificate verification from a commercial CA (certificate authority).

cd /etc/ssl/localcerts
openssl req -new -nodes -days 365 -keyout -out

If your SSL provider requires 2048-bit keys, please add the following option to the command shown above:

-newkey rsa:2048

Here are the values we entered for our example certificate. Note that you can ignore the extra attributes.

Generating a 1024 bit RSA private key
writing new private key to ''
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New Jersey
Locality Name (eg, city) []:Absecon
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyDomain, LLC
Organizational Unit Name (eg, section) []:Web Services
Common Name (eg, YOUR name) []
Email Address []

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Execute the following command to protect the key:

chmod 400 /etc/ssl/localcerts/

Files for your domain will be created in /etc/ssl/localcerts. You may now submit the file ending in .csr to a commercial SSL provider for signing. You will receive a signed file after the CA signs the request. Save this file as /etc/ssl/localcerts/

Execute the following command to protect the signed certificate:

chmod 400 /etc/ssl/localcerts/

Get the CA Root Certificate

Now you'll need to get the root certificate for the CA that you paid to sign your certificate. You may obtain the root certs for various providers from these sites:

For example, if we downloaded a root cert for Verisign, we would save it to /etc/ssl/localcerts/verisign.cer. Note that many Linux distributions offer a package that contains updated root certificates for major certificate authorities; check your distribution's repositories for a package named "ca-certificates". If you have this package installed, the root CA certs will be installed under /etc/ssl/certs.

More Information

You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

Creative Commons License

This guide is licensed under a Creative Commons Attribution-NoDerivs 3.0 United States License.

Last edited by Amanda Folson on Monday, August 22nd, 2011 (r2402).