In today's security-conscious web environment, SSL/TLS certificates aren't optional—they're essential. Modern browsers flag HTTP websites as "Not Secure," Google penalizes them in search rankings, and users increasingly refuse to enter personal information on unencrypted sites.
This comprehensive guide walks you through the entire process of creating and installing an SSL certificate for your website, from generating a Certificate Signing Request (CSR) to choosing the right Certificate Authority and completing installation on your web server.
Understanding the SSL Certificate Lifecycle
Before diving into the technical steps, it's helpful to understand the overall process:
- Generate a key pair: Create a public/private key pair on your server
- Create a CSR: Generate a Certificate Signing Request containing your public key and identifying information
- Submit to a CA: Send the CSR to a Certificate Authority (Let's Encrypt, DigiCert, Sectigo, etc.)
- Domain validation: Prove you control the domain through email, DNS, or HTTP verification
- Receive certificate: The CA signs your public key and returns a certificate
- Install certificate: Configure your web server to use the certificate and private key
- Configure HTTPS: Update your website to use HTTPS and redirect HTTP traffic
Let's explore each step in detail.
Step 1: Choose a Certificate Authority
Your first decision is which Certificate Authority (CA) will sign your certificate. This isn't a purely technical decision—different CAs offer different levels of validation, support, warranties, and trust.
Free Options:
Let's Encrypt is the most popular free CA, providing automated certificate issuance and renewal. Certificates are valid for 90 days and include Domain Validation (DV) only. Let's Encrypt is perfect for:
- Personal websites and blogs
- Development and staging environments
- Small business websites
- Open source projects
ZeroSSL is another free CA offering longer validity periods (90 days) with a simpler interface than Let's Encrypt. Good for users who want free certificates without command-line automation.
Commercial Options:
DigiCert is the premium CA choice, offering Organization Validation (OV) and Extended Validation (EV) certificates with warranties up to $2 million. DigiCert provides:
- Multi-year certificates (1-2 years)
- Phone support and account management
- Insurance warranties for liability
- Recognized by 99.9% of browsers
Sectigo (formerly Comodo) offers affordable commercial certificates with OV and EV options. Good middle-ground between free and premium CAs.
GlobalSign provides enterprise-focused certificates with specialized options for code signing, document signing, and IoT devices.
Validation Levels:
Domain Validation (DV): Verifies you control the domain. Issued in minutes. Shows padlock icon only. Used by Let's Encrypt and entry-level commercial certificates.
Organization Validation (OV): Verifies domain control plus organization identity (legal business name, address). Takes 1-3 days. Shows organization name when clicking the padlock.
Extended Validation (EV): Highest validation level with thorough business vetting. Takes 3-7 days. Shows organization name prominently in browser address bar on some browsers.
Recommendation: For most websites, Let's Encrypt (free) or a commercial DV certificate provides adequate security. OV/EV certificates are useful for e-commerce sites, financial institutions, or when building customer trust is paramount.
Step 2: Generate a Private Key and CSR
A Certificate Signing Request (CSR) contains your public key and identifying information that the CA will sign. But first, you need a private key.
Using OpenSSL (Linux/macOS):
For RSA-2048 (widely compatible):
openssl genrsa -out private.key 2048
openssl req -new -key private.key -out request.csr
For RSA-4096 (more secure, slightly slower):
openssl genrsa -out private.key 4096
openssl req -new -key private.key -out request.csr
For ECDSA P-256 (modern, efficient):
openssl ecparam -genkey -name prime256v1 -out private.key
openssl req -new -key private.key -out request.csr
What Information to Include:
When generating a CSR, you'll be prompted for several fields:
- Common Name (CN): Your domain name (e.g.,
www.example.comorexample.com) - Organization (O): Your legal company name (required for OV/EV, optional for DV)
- Organizational Unit (OU): Department name like "IT" or "Web Services" (optional)
- City/Locality (L): City where your organization is located
- State/Province (ST): Full state name, not abbreviation
- Country (C): Two-letter country code (e.g., US, GB, CA)
- Email Address: Contact email (optional)
Critical: The Common Name (CN) must match the domain exactly. For www.example.com, use that; for example.com, use that. Many CAs offer multi-domain certificates that work for both.
Subject Alternative Names (SANs):
Modern certificates use SANs to secure multiple domains/subdomains:
example.comwww.example.commail.example.comapp.example.com
Most commercial CAs allow 3-5 SANs by default. Let's Encrypt supports up to 100 SANs per certificate.
Using Web-Based Tools:
If you prefer a graphical interface, you can use web-based CSR generators. These tools run entirely in your browser for security, generating the private key and CSR locally without uploading any data to a server.
After generation, save both files securely:
private.key- Never share this filerequest.csr- Submit this to the CA
Step 3: Submit Your CSR to the Certificate Authority
The submission process varies by CA, but generally follows this pattern:
For Let's Encrypt (using Certbot):
Certbot automates the entire process, generating keys, CSRs, handling validation, and installing certificates:
# Install Certbot
sudo apt install certbot python3-certbot-nginx # For Nginx
sudo apt install certbot python3-certbot-apache # For Apache
# Generate and install certificate
sudo certbot --nginx -d example.com -d www.example.com
# or
sudo certbot --apache -d example.com -d www.example.com
Certbot handles everything automatically, including domain validation and web server configuration.
For Commercial CAs:
- Create an account on the CA's website
- Choose certificate type (DV/OV/EV, single domain/wildcard/multi-domain)
- Paste your CSR into the order form
- Complete validation (see next step)
- Receive certificate via email or download from account dashboard
What the CA Does:
When you submit a CSR, the CA:
- Extracts your public key and domain information
- Verifies you control the domain (validation process)
- Signs your public key with their private key
- Creates a certificate containing your public key + their signature
- Returns the certificate to you
The CA's signature is what makes your certificate trusted. Browsers come pre-installed with trusted root CA certificates, creating a "chain of trust."
Step 4: Complete Domain Validation
Before issuing a certificate, the CA must verify you control the domain. There are three common validation methods:
HTTP Validation (HTTP-01 Challenge):
The CA provides a random token that you must serve at a specific URL:
http://example.com/.well-known/acme-challenge/[random-token]
Upload the token file to your web server at that path. The CA retrieves it to verify control. This method:
- Works for single domains only (not wildcards)
- Requires port 80 to be open and accessible
- Is fully automated with Certbot
DNS Validation (DNS-01 Challenge):
The CA provides a random value that you add as a TXT record to your DNS zone:
_acme-challenge.example.com. TXT "random-validation-string"
Add this record in your DNS provider's control panel. The CA queries DNS to verify. This method:
- Works for wildcard certificates (
*.example.com) - Works when port 80/443 isn't accessible
- Can be automated with DNS provider APIs
- Takes longer due to DNS propagation delays
Email Validation:
The CA sends a validation email to one of these addresses:
Click the link in the email to validate. This method:
- Is simple and requires no technical setup
- Works when you don't have server access yet
- Is not available for Let's Encrypt
Organization Validation (OV) and Extended Validation (EV):
These require additional verification beyond domain control:
- Business registration documents
- Phone verification with the organization
- Dun & Bradstreet or other business database verification
- Legal opinion letters (for EV)
The process takes 1-7 days depending on validation level and how quickly you provide documents.
Step 5: Download and Install Your Certificate
Once validation is complete, the CA provides your signed certificate.
What You'll Receive:
- Server Certificate: Your signed certificate (e.g.,
certificate.crt) - Intermediate Certificate(s): CA's intermediate certificate(s) (e.g.,
intermediate.crt) - Root Certificate: CA's root certificate (usually not needed—browsers have it)
Certificate Chain:
Browsers need to see the complete chain from your certificate up to a trusted root:
Your Certificate
↓ (signed by)
Intermediate Certificate
↓ (signed by)
Root Certificate (in browser's trust store)
Most CAs provide a "certificate bundle" or "full chain" file containing your certificate and all intermediates.
Installing on Apache (Linux):
- Copy files to your server:
sudo cp certificate.crt /etc/ssl/certs/
sudo cp private.key /etc/ssl/private/
sudo cp intermediate.crt /etc/ssl/certs/
- Set proper permissions:
sudo chmod 600 /etc/ssl/private/private.key
sudo chmod 644 /etc/ssl/certs/certificate.crt
- Configure Apache virtual host:
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
SSLEngine on
SSLCertificateFile /etc/ssl/certs/certificate.crt
SSLCertificateKeyFile /etc/ssl/private/private.key
SSLCertificateChainFile /etc/ssl/certs/intermediate.crt
# Other configuration...
</VirtualHost>
- Restart Apache:
sudo systemctl restart apache2
Installing on Nginx (Linux):
- Concatenate certificate and chain:
cat certificate.crt intermediate.crt > fullchain.pem
- Copy files:
sudo cp fullchain.pem /etc/nginx/ssl/
sudo cp private.key /etc/nginx/ssl/
sudo chmod 600 /etc/nginx/ssl/private.key
- Configure Nginx server block:
server {
listen 443 ssl;
server_name example.com www.example.com;
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/private.key;
# Other configuration...
}
- Restart Nginx:
sudo systemctl restart nginx
Installing on Windows IIS:
-
Convert to PFX format (if not already):
- Use a certificate tool to combine certificate + private key + chain into a
.pfxfile - Protect with a strong password
- Use a certificate tool to combine certificate + private key + chain into a
-
Import certificate:
- Open IIS Manager
- Select server name → Server Certificates
- Right-click → Import
- Browse to
.pfxfile, enter password
-
Bind to website:
- Select your website → Bindings
- Add new binding: Type = https, Port = 443
- Select your SSL certificate
- Click OK
Installing on Cloud Platforms:
AWS (Certificate Manager):
aws acm import-certificate \
--certificate fileb://certificate.crt \
--certificate-chain fileb://intermediate.crt \
--private-key fileb://private.key
Google Cloud:
gcloud compute ssl-certificates create example-cert \
--certificate=certificate.crt \
--private-key=private.key
Azure (App Service):
Upload .pfx file through Azure Portal → App Service → TLS/SSL settings → Private Key Certificates.
Step 6: Configure HTTPS and Security Headers
Installing the certificate is only the beginning. You need to configure your server for optimal security:
Redirect HTTP to HTTPS:
All HTTP traffic should redirect to HTTPS to ensure encrypted connections.
Apache:
<VirtualHost *:80>
ServerName example.com
Redirect permanent / https://example.com/
</VirtualHost>
Nginx:
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
}
Enable HSTS (HTTP Strict Transport Security):
HSTS tells browsers to always use HTTPS, preventing man-in-the-middle attacks:
Apache:
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Nginx:
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
Modern TLS Configuration:
Use only TLS 1.2 and 1.3, disable older versions:
Apache:
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256
Nginx:
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256';
ssl_prefer_server_ciphers on;
Step 7: Test and Monitor
After installation, thorough testing is essential:
SSL Labs Test: Visit SSL Labs Server Test and enter your domain. Aim for an A+ rating.
Browser Testing: Test in Chrome, Firefox, Safari, and Edge. Verify:
- Green padlock appears
- Certificate details show correct domain
- No mixed content warnings
Certificate Monitoring: Set up monitoring to alert you before expiration:
- Let's Encrypt: 90-day validity, auto-renewal at 60 days
- Commercial: 1-2 year validity, renewal 30 days before expiration
Common Issues:
Mixed Content: Some resources (images, scripts, CSS) load over HTTP. Update all URLs to HTTPS or use protocol-relative URLs (//example.com/script.js).
Incomplete Chain: Missing intermediate certificate causes errors in some browsers. Always include the full chain.
Certificate Name Mismatch: Certificate CN doesn't match the domain in the URL. Ensure SANs cover all domains/subdomains.
Conclusion
Creating an SSL certificate for your website involves generating a CSR, submitting it to a Certificate Authority, completing domain validation, and installing the signed certificate on your web server. While the process has multiple steps, tools like Let's Encrypt and Certbot have automated much of the complexity.
Key Takeaways:
- Choose the right CA for your needs (Let's Encrypt for free/automated, commercial for OV/EV)
- Generate a strong key pair (RSA-2048 minimum, RSA-4096 or ECDSA P-256 preferred)
- Include all necessary domains in SANs
- Always install the complete certificate chain
- Configure HTTPS redirects and security headers
- Monitor for expiration and renew on time
Ready to generate your Certificate Signing Request? Use our Certificate CSR Generator & Format Converter tool for secure, client-side CSR generation and certificate format conversion.