Purchasing a Wildcard SSL Certificate for Technology Directors

I have several new web projects coming up that led me down the path of purchasing a wildcard SSL certificate recently. I have helped several customers do this in the past and it has always been a rather straightforward process. This time, there were a few additional complications because the legal entity that my company operates under has only been around for 9 months. We have been in business for 6 years now, but a structure change last year involved creating a new legal entity.

The level of scrutiny that you will be subjected to in your purchase is first determined by the certificate that you intend to purchase. Personally, I have always used DigiCert.com for all of my SSL needs. They are not the least expensive, but they have been nothing but great to work with. The only challenge that I’ve ever had was the scrutiny that I went through to purchase my wildcard cert, but this is a good thing. It means that they were doing their job to make sure that my company was real. My issues were related to not updating my Google for Business entry or having other 3rd party organizations that had my legal business address, not my mailing address that is a PO Box.

They have Basic SSL, Business SSL, Code Signing, and Document signing certificates. In several of these categories, they have different levels that must go through more thorough validation. I elected for the Basic SSL Wildcard because I have several projects that I’m working on and will need to secure multiple web sites. The breakeven on pricing is (4) certificates. If you plan to secure 4 or more sites, it is less expensive to purchase the wildcard instead of individual certificates for each site.

One of the projects that I was working on was installing, configuring, and securing PassCore for password self-service of Microsoft Active Directory accounts. This application runs on IIS running on a Microsoft Windows server. I chose Server 2016 Standard, but the process is similar to others. IIS has a mechanism for generating a Certificate Signing Request (CSR), but I ran into issues embedding the private key in a way that made this certificate usable on another IIS server. As a result, I used one of my Linux servers for the process and found it to be easy and straightforward.

You may find this resource helpful if you need to Sync Active Directory Groups with Google.

I will use my own domain name *.sps-k12.com as an example of how to complete this process, but the file examples are fake.

First, we need to generate a private key file. This can be done with the following command:

openssl genrsa -out star_sps-k12_com.key 2048

Make sure that you know what directory you are in. Also, be VERY careful with this file. This is the private key portion that allows you to unencrypt traffic encrypted with your certificate. This is literally the key to your data so you must protect it appropriately. The resulting file will look like this:

Next, we need to generate a CSR to submit to our registrar when actually making the certificate purchase.

openssl req -newkey rsa:2048 -nodes -keyout star_sps-k12_com.key -out star_sps-k12_com.csr

The result of this file will be cut/pasted in to a window provided by your registrar, like DigiCert. This will trigger them to generate the certificate, but only after the validation has been completed. The contents of this file will look like this:

The validation process may be as simple as an email to administrator@sps-k12.com or it can require a phone call and validation that the business address actually exists. If email validation is all that was necessary, you will get a link to complete the validation. It will be followed shortly after with an email that your certificate has been generated and you will be able to download it. I received a bundle.crt, but because I was working with an IIS application, I needed the certificate in PFX format. In order to build a PFX file, you need several things. You must have your certificate, any and all intermediate certificates, AND the private key that you created at the beginning of this process.

That means that I had to get the contents of my bundle.crt file back over to my Linux server for more work. DigiCert provided two intermediate certificates, so my command was this:

openssl pkcs12 -export -out star_sps-k12_com.pfx -inkey star_sps-k12_com.key -in OV_UserTrustRSACertificationAuthority.crt -in OV_NetworkSolutionsOVServerCA2.crt -in star_sps-k12_com.crt

You will be prompted to enter a password because this file contains your private key. Make sure that you remember to secure this password. The file will not be usable if you don’t have this password. The resulting file named star_sps-k12_com.pfx file can then be imported into IIS to secure my site.

To see that process stay tuned for our next blog. If you need help before that please feel free to reach out. 

Would you like to automate provisioning for your district?

About Student Provisioning Services

SPS completely automates the creation and maintenance of student accounts in your Active Directory or e-Directory to save you time and help ensure accuracy. Most districts then have their local directory synchronized with Google Apps for Education or G-Suite, so they are immediately created in Google as well. Learn more.

Check out our latest case study here.