First time buyers of a SSL Certificate are curios as to what all needs to be done before and after a SSL/TLS Certificate is issued. Here are the details.
Customer is required to generate CSR (Certificate Signing Request) file on the Server where he intends to install the certificate. Depending on Webserver steps to generate CSR can vary and this steps are easily available on various websites. While generating the CSR customer needs to specify the Common Name (usually a URL, Server name or IP Address), Organization Name, Organization Unit, Locality (City), State (Province) and two Digit ISO Country code. Also one needs to specify Certificate Period (usually in years), Hash Algorithm (usually Sha-256), Key Size (usually 2048) and Encryption Algorithm (usually RSA).For multi-domain SSL certificate SAN values needs to be specified. They can be shared separately also to the issuer if not specified in the CSR.
Usually CSR is a tiny text file (usually 2 KB in size) with words “Begin New Certificate Request” at the beginning and “End New Certificate Request” at the end. In between you will see lot of gibberish.
Once CSR file is generated it is shared with the Certificate Provider for the enrollment of the certificate.
Technical Note: When CSR is generated on the server Private Key (a tiny file) is generated on the Server. It’s important that you install the issued SSL certificate on the same server because during installation SSL Certificate checks for the existence of this Private Key and certificate match is performed. If match is not found Certificate fails to install on the server. Sometimes Certificate Provider generates CSR file based on Common name, Organization name etc. provided by the buyer. In this case while issuing the certificate Private key is shared with the buyer by embedding it in PFX format. But, as a good business practice this should not be done i.e., buyer should generate CSR on his own servers so that Private Key does not go out of his premises.
Verification and Approval
Once CSR is shared with the Certificate Provider it is enrolled into the system. During enrollment if any mistakes are found in the CSR customer is informed of the same and new CSR is requested. Sometimes Certificate Provider modifies values in the CSR after/without informing the Customer. Then depending upon type of the certificate various verification checks done. For Public facing websites certain type of third party verification is done on phone or by asking for certain documents or on publicly available information from websites. In case of Intranet Certificate, basic checks are done for the existence of the organization for approval. Upon successful verification SSL Certificate is approved for issuance.
Once approved Certificate Provider issues the SSL Certificate to the customer. It is usually provided in the for of a file (.cer or .p7b or .pfx format). It needs to be installed on the Server where CSR was generated. Installation of the Certificate takes few minutes.
There are times when there is a requirement to ‘revoke’ the SSL Certificate. This happens when certificate’s Private Key is compromised (lost or stolen), change in Common Name, new certificate is issued and old certificate is no longer required or customer wants to limit the Certificate validity period.
In such a case customer asks Certificate Provider to revoke the SSL Certificate. Upon receipt of request Certificate Provider after some checks ‘revokes’ the certificate in his system. Revocation essentially invalidates the issued SSL Certificate, removing the secure https connection. Sometimes Certificate Provider revokes the SSL Certificate if the customer is found to violate terms and conditions of the SSL certificate subscriber agreement.
One can renew the SSL Certificate some days in advance before the expiry of the SSL Certificate. When done early Certificate Provider increases the validity period so that customer does not loose validity of the current certificate. Process of renewal is usually same as issuance of a new SSL certificate. In other words, customer needs to generate the CSR file and give it to the Certificate Provider.
In case of any questions please post comments below.