TL;DR
Buying a TLS certificate is usually easier and more trustworthy, especially for public-facing websites. Creating your own (self-signed) is okay for testing or internal use but will cause browser warnings for visitors.
1. Understanding TLS Certificates
TLS (Transport Layer Security) certificates verify a website’s identity and encrypt communication between the server and users’ browsers. This ensures data privacy and security. There are two main ways to get one:
- Buying: Purchasing from a Certificate Authority (CA).
- Creating: Generating your own self-signed certificate.
2. Buying a TLS Certificate
This is the recommended approach for most websites.
2.1 Choose a Certificate Authority
Popular CAs include:
- Let’s Encrypt (free, automated)
- DigiCert
- Sectigo
- GlobalSign
2.2 Select Certificate Type
Different types offer varying levels of validation:
- Domain Validation (DV): Quickest and cheapest; verifies you control the domain.
- Organization Validation (OV): Verifies your organisation’s details.
- Extended Validation (EV): Highest level of trust; requires thorough verification. Displays a green address bar in browsers.
2.3 Purchase and Generate CSR
You’ll need to create a Certificate Signing Request (CSR) on your server. The process varies depending on your web server software:
- Apache: Use the
opensslcommand:openssl req -new -newkey rsa:2048 -nodes -keyout example.key -out example.csr - Nginx: Similar to Apache, using
openssl.
2.4 Submit CSR and Validate
Submit the CSR to your chosen CA. They will validate your domain (usually via email or DNS record check).
2.5 Install Certificate
Once validated, download the certificate files (typically a .crt file) and install them on your server. Configuration steps depend on your web server.
3. Creating a Self-Signed TLS Certificate
This is suitable for testing environments or internal applications where browser warnings are acceptable.
3.1 Generate the Certificate
Use openssl:
openssl req -x509 -newkey rsa:4096 -nodes -keyout selfsigned.key -out selfsigned.crt -days 365This creates a key file (selfsigned.key) and a certificate file (selfsigned.crt) valid for 365 days.
3.2 Configure Web Server
Point your web server to the self-signed certificate and key files. Configuration varies by server software.
3.3 Browser Warnings
Browsers will display a warning because the certificate isn’t trusted by a recognised CA. Users need to manually accept the risk to proceed. This is not ideal for public websites.
4. Comparison Table
| Feature | Buying | Creating |
|---|---|---|
| Trust | High (trusted by browsers) | Low (browser warnings) |
| Validation | Domain, Organisation, Extended | None |
| Cost | £0 – £100+ per year | Free |
| Complexity | Moderate | Simple |
| Use Cases | Public websites, e-commerce | Testing, internal applications |
5. Let’s Encrypt – A Free Option
Let’s Encrypt provides free DV certificates that are automatically renewed. Tools like Certbot simplify the process:
sudo apt install certbot python3-certbot-nginx # Example for Ubuntu/Debian with NginxCertbot automates CSR generation, validation and installation.