Find file
Fetching contributors…
Cannot retrieve contributors at this time
129 lines (87 sloc) 6.81 KB
deprecated author description keywords license alias modified modified_by published title external_resources
name email
How to prepare and submit a request for a commercially-signed SSL certificate.
openssl,commercial ssl cert,apache ssl,ssl linux
Wednesday, August 17th, 2016
Nick Brewer
Monday, November 16th, 2009
Obtaining a Commercial SSL Certificate
[OpenSSL Documentation](

{: .caution}

This guide has been split into two guides, for Debian & Ubuntu and CentOS & Fedora.

These instructions will show you how to install a commercial SSL certificate on your Linode. As SSL certificates can be used by many kinds of software, the steps provided are generic in nature. If you intend to use your SSL certificate on a website powered by Apache, you can continue to our Apache SSL guides for Debian & Ubuntu or CentOS once you've completed the process outlined here.

For an SSL setup with Nginx, please start with our Nginx and SSL guide.

If hosting multiple websites with commercial SSL certificates on the same IP address, use the Server Name Identification (SNI) extension of TLS. SNI is accepted by most modern web browsers. If you expect to receive connections from clients running legacy browsers (like Internet Explorer for Windows XP), you will need to contact support to request an additional IP address.

Install OpenSSL

Issue the following commands to install required packages for OpenSSL, the open source SSL toolkit.

Debian/Ubuntu users:

apt-get update && apt-get upgrade
apt-get install openssl
mkdir /etc/ssl/localcerts

CentOS/Fedora users:

yum update
yum install openssl
mkdir /etc/ssl/localcerts

Create a Certificate Signing Request

Issue the following commands to navigate to the /etc/ssl/localcerts directory and create a certificate signing request (CSR) for the site that will be using SSL. Change to reflect the fully qualified domain name (FQDN) or IP of the site you'll be using SSL with. Leave the challenge password blank. Note that in this example, we entered 365 for the days parameter, as we would be paying for one year of SSL certificate verification from a commercial certificate authority (CA):

cd /etc/ssl/localcerts
openssl req -new -newkey rsa:2048 -nodes -sha256 -days 365 -keyout -out

After the first command changes directories, the second command creates a .csr and a .key file under the /etc/ssl/localcerts directory using these options:

  • -nodes instructs OpenSSL to create a certificate that does not require a passphrase. If this option is excluded, you will be required to enter the the passphrase in the console each time the application using it is restarted.

  • -days determines the length of time in days that the certificate is being issued for. We entered 365 for the days parameter to the command, as we would be paying for one year of SSL certificate verification from a commercial certificate authority (CA).

  • rsa: allows you to specify the size of the RSA key. In this case we've chosen 2048 bits as this is the recommended minimum size.

  • -sha256 ensures that the certificate request is generated using 265-bit SHA (Secure Hash Algorithm).

Here are the values we entered for our example certificate. Note that you can ignore the extra attributes.

Generating a 2048 bit RSA private key
writing new private key to ''
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New Jersey
Locality Name (eg, city) []:Absecon
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyDomain, LLC
Organizational Unit Name (eg, section) []:Web Services
Common Name (eg, YOUR name) []
Email Address []

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Execute the following command to protect the key:

chmod 400 /etc/ssl/localcerts/

Files for your domain will be created in /etc/ssl/localcerts. You may now submit the file ending in .csr to a commercial SSL provider for signing. You will receive a signed file after the CA signs the request. Save this file as /etc/ssl/localcerts/

Execute the following command to protect the signed certificate:

chmod 400 /etc/ssl/localcerts/

Get the CA Root Certificate

Most modern distributions come with common root CA certificates installed as part of the "ca-certificates" package. To check if this package is installed, you can run this command:


apt-cache policy ca-certificates


yum list installed ca-certificates

The "ca-certificates" package comes with a bundle of root certs that can be used with commonly accepted certificate authorities. The specific location of the bundle varies depending upon the distribution:





If you're using an older distribution that does not have the "ca-certificates" package, you will need to download your root certificate from the CA that issued it. Some of the most common commercial certificate authorities are listed below:

Once you've downloaded your root certificate, you can add it to the /etc/ssl/localcerts directory. For example, if you were to download a root certificate for Verisign, you would save it to /etc/ssl/localcerts/verisign.cer.