Services     Software     Commentary     Design     Astral Musings   
SSL Certificates
Installing SSL Certificates for HTTPS

2016-01, rickatech

Related [ edit ]


Since around 2010 when the first FireSheep web browser plugin made it easy for anyone to see unencrypted usernames and passwords being used over WiFI network, there has been increasing concern for more ubiquitous web encryption. 

Until recently the art and practice of preparing and deploying SSL Certificates to encrypt HTTPS web servers required both technical expertise and annual fees to 'trusted' security firms (e.g. Verisign) - who would in turn provide certificates considered genuine for wide web usage.  The technical barriers to generating and deploying SSL Certificates have pretty much evaporated since then.  The artificial tax to 'trusted' security firms to vet certificates for a fee looks to also evaporate, or at least reduce significantly, with Mozilla Foundation's new Let's Encrypt service that provides free SSL Certificates that are also considered legitimate for wide web usage.

# git clone

$ ./letsencrypt-auto certonly --manual -d
  - needs to be run from a system that can receive requests to
    to the target domain
  - generates 4 files
  - special web accessible directory will need to be populated with
    one time magic file

# ls -lh /etc/letsencrypt/archive/

  root root 1.8K cert1.pem
  root root 1.7K chain1.pem
  root root 3.5K fullchain1.pem
  root root 1.7K privkey1.pem 

A certificate can be generated to satisfy multiple domains by providing addition -d directives.

Update 2016-12-20

Apparently a new toolset called certbot has been rolled out.  Note, many Let's Encrypt tools depend on an API services that occasionally go offline for various reasons.  The API server status can be checked here:


Checking contents of a given certificate file.  There are many other variants of the openssl command to help peek inside a certificate file beside this.

$ openssl x509 -text -in cert.pem 

        Version: 3 (0x2)
        Serial Number:
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
            Not Before: May 19 18:25:52 2020 GMT
            Not After : Aug 17 18:25:52 2020 GMT
zap technologies
tablet | printable