With having various IT-related jobs for nearly 30(!) years now, I consider myself to be pretty technically savvy. But every once in a while, there’s something that’s so complex that I just can’t believe that some bit of technical wizardry is so prevalent yet difficult for me to wrap my head around. And holy cow, generating & installing SSL certs aren’t just one of those things…SSL certs might be the quintessentially worst bit of technology that actually does amazingly good things.
Now I’ll admit, that part of this is probably me just being cheap–instead of paying my hosting service a little more every year to keep this website alive & automatically renew the site’s SSL, I went with a cheaper plan that means i have to manage the SSL cert.
And just like anything else that’s technical & intricate to do, details on how to do such things often gets lost…especially when you only have to do that task once a year.
I want to rectify that by documenting what I (finally!) did to get it working so that I never have to go through so much painful effort again…
What’s perhaps so bad about this is that it’s really not that hard, but the hosting company’s documentation (vs the actual execution) could be simpler.
Easy Part: Generating a Private Key & the CSR
As long as you have a Linux (or maybe a Mac) machine handy, this should be trivial to do. 1. Run the following command to generate a private key:
sudo openssl genrsa --out [YOUR_DOMAIN.TLD].key 2048
You’ll want to replace “[YOUR_DOMAIN.TLD]” with your actual domain name. So I would do:
sudo openssl genrsa --out learningtotest.com.key 2048
2. With the private key created, we need to generate the certificate signing request (CSR) with this command:
sudo openssl req --new --key [YOUR_DOMAIN.TLD].key --out [YOUR_DOMAIN.TLD].csr
Again, replacing [YOUR_DOMAIN.TLD] with your actual domain name–at the very least so that it matches the private key file that you created with the first command is imperative! So mine would become:
sudo openssl req --new --key learningtotest.com.key --out learningtotest.com.csr
3. Fill all of the prompts (but it’s OK to leave the passphrase blank) to finish generating the CSR.
4. View the contents of the CSR file so you can copy’n’paste it in your webhost’s site. (Hold on to both files because we will need the key file again later!)
The Tricky Part: Validating the Domain
Part of this process requires proving that you own the domain that you are generating the SSL cert for. There are are a few ways this can be done. Two of them are:
- Add a CNAME record to your DNS entries (this is most likely the default).
- Receive a code via email.
You really want to do the email validation because the DNS entry can be very hit-or-miss (mostly miss). Usually the email is sent to admin@[YOUR_DOMAIN.TLD] so obviously this account (or email alias 😉 ) needs to already exist.
From there you follow the instructions in the email (usually click a link & provide a code contained in the email). This will most likely result in a second email being sent which contains a ZIP file with certificate & CA bundle text files.
Coming Down The Home Stretch
You have everything you need to complete the certificate installation. Login to your WordPress host & navigate to the SSL certificate page.
Select Custom SSL certificate, then in each of the 3 fields, either copy’n’paste or upload the following 3 files:
- Private key (
learningtotest.com.key
)
- SSL certificate (
learningtotest.com.crt
)
- CA Bundle (
learningtotest.com.ca_bundle
)
And assuming that you do not get any errors here (the most likely being that your private key is incorrect), you can click on the Change or Submit button.
Congratulations, your site is good to go for another year!