Aleksandar GargentaPartner
Marakana, Inc.
Member since Jan 19, 2007
Location: San Francisco
Posts: 72
Location: San Francisco
Posts: 72
To provide security to your customers, Spark requires the use of HTTPS (or HTTP over SSL/TLS) on certain pages that collect sensitive information (e.g. password, credit card information, back-end info, etc.).
To integrate Spark with SSL/TLS, we need an SSL/TLS certificate.
Due to the nature of SSL (it's all based on trust) we cannot simply take over this task and obtain a certificate for you. The certification authorities (CAs) need to verify your identity (see below), so certain parts of this process require your involvement.
This is what we found works best:
Step 1
We generate an SSL/TLS public-private key-pair for your site.
(This is the command we use:
Step 2
You supply us with the information necessary for us to create a certificate signing request (CSR):
Step 3
We generate a CSR (based on your site's private public key and the information you provided in the previous step) and send it to you.
(This is the command we use:
Step 4
You select a certificate authority (CA) that will issue you an SSL certificate. The following are some of the more popular CAs:
Step 5
You purchase an SSL certificate through the CA that you selected. They will ask you for the following information:
Step 6
You provide us with your newly issued SSL certificate - your CA will provide you with the instructions on how to obtain/download your certificate.
Step 7
We configure and enable your site for SSL.
While we are waiting for you to provide us with the CA-signed certificate, we may configure your site with a self-signed certificate, which is good enough for testing purposes but generates browser warnings (because it is not secure).
(This is the command we use:
To integrate Spark with SSL/TLS, we need an SSL/TLS certificate.
Due to the nature of SSL (it's all based on trust) we cannot simply take over this task and obtain a certificate for you. The certification authorities (CAs) need to verify your identity (see below), so certain parts of this process require your involvement.
This is what we found works best:
Step 1
We generate an SSL/TLS public-private key-pair for your site.
(This is the command we use:
openssl genrsa -out server.key 2048)Step 2
You supply us with the information necessary for us to create a certificate signing request (CSR):
- The 2-letter country code of where your organization is registered (e.g. 'US' for the United States)
- The state or province name of where your organization is registered (full name - e.g. 'California')
- The city of where your organization is registered (e.g. 'San Francisco')
- The name of your organization (e.g. 'Internet Widgits Inc.')
- The name of your organizational unit that is responsible for your site (e.g. 'Web')
- The name of your web site (e.g. 'www.mysite.com'). It is imperative that you choose your name wisely since changing it requires a whole new certificate. Specifically, you need to decide whether you prefer 'mysite.com' or 'www.mysite.com' as the site name. Both will work, but one will be preferred.
- The email address you wish to have associated with your certificate. It is important (though not required) that this email address be the same as the one used to register your domain name (i.e. the one that will be provided as part of the WHOIS info on your domain name). Having these addresses be the same makes it easier for the certification authority (CA) to verify your identity, which in turn allows you to get a much cheaper domain-validated SSL certificate.
Step 3
We generate a CSR (based on your site's private public key and the information you provided in the previous step) and send it to you.
(This is the command we use:
openssl req -new -key server.key -out server.csr)Step 4
You select a certificate authority (CA) that will issue you an SSL certificate. The following are some of the more popular CAs:
- Verisign. Highly reputable. Great browser support. Very expensive: Secure Site ($399/year), Secure Site Pro ($995/year), Secure Site with EV ($995/year), Secure Site Pro with EV ($1,499/year).
- Thawte. Reputable. Great browser support. Owned by Verisign. More affordable: SSL 123 certificate ($149/year), SSL Web Server Certificate ($249/year), SSL Web Server Certificates with EV ($899/year)
- GoDaddy. Gaining in reputability. 99% browser support. Very affordable (coupons available): Standard SSL ($29.99/year), Deluxe SSL ($89.99/year), Premium SSL ($199.99/year).
Step 5
You purchase an SSL certificate through the CA that you selected. They will ask you for the following information:
- Your name (including the name of the company)
- CSR (the one we provided you with. Make sure that you copy-and-paste it in its entirety where prompted)
- If you are creating an intranet certificate (say 'No')
- If you need additional licenses (say 'No')
- What kind of web server software your site will use (say 'ModSSL' or if that's not an option, say 'Apache')
- Your [corporate] email address. Enter the same address as you provided us when we generated your CSR.
- Your credit card number.
Step 6
You provide us with your newly issued SSL certificate - your CA will provide you with the instructions on how to obtain/download your certificate.
Step 7
We configure and enable your site for SSL.
While we are waiting for you to provide us with the CA-signed certificate, we may configure your site with a self-signed certificate, which is good enough for testing purposes but generates browser warnings (because it is not secure).
(This is the command we use:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt)
Edited one time. Last edit by Aleksandar Gargenta on Jun 14, 2010 at 5:42:19 PM (about 5 weeks ago).
