Obtaining a Commercial SSL Certificate
Updated by Nick Brewer
This guide has been deprecated and is no longer being maintained.
These instructions will show you how to install a commercial SSL certificate on your Linode. As SSL certificates can be used by many kinds of software, the steps provided are generic in nature. If you intend to use your SSL certificate on a website powered by Apache, you can continue to our Apache SSL guides for Debian & Ubuntu or CentOS once you’ve completed the process outlined here.
For an SSL setup with Nginx, please start with our Nginx and SSL guide.
If hosting multiple websites with commercial SSL certificates on the same IP address, use the Server Name Identification (SNI) extension of TLS. SNI is accepted by most modern web browsers. If you expect to receive connections from clients running legacy browsers (like Internet Explorer for Windows XP), you will need to contact support to request an additional IP address.
Issue the following commands to install required packages for OpenSSL, the open source SSL toolkit.
1 2 3
apt-get update && apt-get upgrade apt-get install openssl mkdir /etc/ssl/localcerts
1 2 3
yum update yum install openssl mkdir /etc/ssl/localcerts
Create a Certificate Signing Request
Issue the following commands to navigate to the
/etc/ssl/localcerts directory and create a certificate signing request (CSR) for the site that will be using SSL. Change
example.com to reflect the fully qualified domain name (FQDN) or IP of the site you’ll be using SSL with. Leave the challenge password blank. Note that in this example, we entered 365 for the days parameter, as we would be paying for one year of SSL certificate verification from a commercial certificate authority (CA):
cd /etc/ssl/localcerts openssl req -new -newkey rsa:2048 -nodes -sha256 -days 365 -keyout www.example.com.key -out www.example.com.csr
After the first command changes directories, the second command creates a
.csr and a
.key file under the
/etc/ssl/localcerts directory using these options:
-nodesinstructs OpenSSL to create a certificate that does not require a passphrase. If this option is excluded, you will be required to enter the the passphrase in the console each time the application using it is restarted.
-daysdetermines the length of time in days that the certificate is being issued for. We entered 365 for the days parameter to the command, as we would be paying for one year of SSL certificate verification from a commercial certificate authority (CA).
rsa:allows you to specify the size of the RSA key. In this case we’ve chosen 2048 bits as this is the recommended minimum size.
-sha256ensures that the certificate request is generated using 265-bit SHA (Secure Hash Algorithm).
Here are the values we entered for our example certificate. Note that you can ignore the extra attributes.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
Generating a 2048 bit RSA private key ......................................................++++++ ....++++++ writing new private key to 'www.example.com.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:New Jersey Locality Name (eg, city) :Absecon Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyDomain, LLC Organizational Unit Name (eg, section) :Web Services Common Name (eg, YOUR name) :www.mydomain.com Email Address :email@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
Execute the following command to protect the key:
chmod 400 /etc/ssl/localcerts/www.example.com.key
Files for your domain will be created in
/etc/ssl/localcerts. You may now submit the file ending in
.csr to a commercial SSL provider for signing. You will receive a signed file after the CA signs the request. Save this file as
Execute the following command to protect the signed certificate:
chmod 400 /etc/ssl/localcerts/www.example.com.crt
Get the CA Root Certificate
Most modern distributions come with common root CA certificates installed as part of the “ca-certificates” package. To check if this package is installed, you can run this command:
apt-cache policy ca-certificates
yum list installed ca-certificates
The “ca-certificates” package comes with a bundle of root certs that can be used with commonly accepted certificate authorities. The specific location of the bundle varies depending upon the distribution:
If you’re using an older distribution that does not have the “ca-certificates” package, you will need to download your root certificate from the CA that issued it. Some of the most common commercial certificate authorities are listed below:
Once you’ve downloaded your root certificate, you can add it to the
/etc/ssl/localcerts directory. For example, if you were to download a root certificate for Verisign, you would save it to
You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.
This guide is published under a CC BY-ND 4.0 license.