TL;DR
This guide explains how to request an SSL certificate from your client for secure website connections (HTTPS). It covers what you need to ask for, common methods like CSR generation, and basic validation steps.
1. Understand What You Need
An SSL/TLS certificate encrypts data between a user’s browser and your web server. You can’t install one without information *from* the client if they own the domain. Here’s what you typically need:
- Domain Name: The exact address (e.g., example.com, www.example.com).
- Certificate Signing Request (CSR): A text file containing information about your server and organisation. This is the most common way to get the necessary details.
- Administrative Contact Details: Name, email address, and phone number of someone who can approve the certificate request.
Sometimes, clients will have already purchased a certificate; in that case, you’ll need the certificate file itself (usually .crt or .pem) and potentially an intermediate certificate bundle.
2. Requesting a CSR from Your Client
The client needs to generate a CSR on their server. The process varies depending on their web server software:
Apache
openssl req -new -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csrThey’ll be prompted for information like country code, state, city, organisation name, and the Common Name (this *must* match the domain name). The key file is private; they should keep it secure.
Nginx
Nginx doesn’t have a built-in CSR tool. They’ll usually use OpenSSL as with Apache:
openssl req -new -keyout example.com.key -out example.com.csrcPanel/WHM
Most cPanel installations have a CSR tool in the SSL/TLS Manager section.
3. What to Do with the Received CSR
- Check the Common Name: Verify that the Common Name in the CSR exactly matches the domain name you need to secure.
- Examine the Subject Alternative Names (SANs): If they’re securing multiple subdomains (e.g., blog.example.com, shop.example.com), ensure these are included in the SAN field of the CSR. If not, ask them to regenerate it with the correct SANs.
- Copy the Contents: The CSR is a text file that starts and ends with
-----BEGIN CERTIFICATE REQUEST-----and-----END CERTIFICATE REQUEST-----. You’ll need to copy *everything* between these lines, including those lines themselves.
4. Submitting the CSR to a Certificate Authority (CA)
You or your client will submit this copied CSR to a CA (like Let’s Encrypt, DigiCert, Sectigo). The CA validates domain ownership.
5. Domain Ownership Validation
The CA needs to confirm the client controls the domain. Common methods include:
- Email Verification: The CA sends an email to a registered contact address for the domain (e.g., [email protected], [email protected]).
- DNS Record Change: The CA provides a unique DNS record (TXT or CNAME) that the client adds to their domain’s DNS settings.
- HTTP File Upload: The CA asks the client to upload a specific file to a designated location on their web server.
Follow the CA’s instructions carefully for validation.
6. Receiving and Installing the Certificate
- Download the Certificate: Once validated, the CA will provide the certificate file (usually .crt or .pem). They may also provide an intermediate certificate bundle (.ca-bundle).
- Install on Your Server: The installation process depends on your web server. Consult your server’s documentation for specific instructions. Generally, you’ll need to configure your virtual host to point to the certificate and key files.
For example, in Apache:
<VirtualHost *:443>
ServerName example.com
DocumentRoot /var/www/example.com
SSLEngine on
SSLCertificateFile /path/to/your_certificate.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/ca-bundle.crt <-- if provided
</VirtualHost>7. Testing the Installation
After installation, verify HTTPS is working correctly:
- Browser Check: Visit your website using
https://yourdomain.com. Look for a padlock icon in the browser’s address bar. - SSL Checker Tools: Use online tools like SSL Shopper or DigiCert SSL Installation Diagnostics Tool to check for errors and proper configuration.