A CA-signed certificate, also known as a trusted certificate, is a certificate that has been issued and digitally signed by a trusted third-party entity called a Certificate Authority (CA). In order to get a CA signed certificate for a domain, you first need to generate a CSR (Certificate Signing Request) and then follow additional steps to get it certified/signed by a Certificate Authority (CA) to make it a valid CA Signed Digital SSL Certificate. In this article, I will discuss all the steps that you need to follow to get a CA Signed SSL Certificate from a CSR Certificate Signing Request File.
Steps to Get a CA Signed Certificate from CSR File
The pre-requisites for all the steps below is to first create a CSR File. A CSR (Certificate Signing Request) is created by tools like OpenSSL, Java KeyTool etc. by following a set of steps and providing information about your domain, organization etc. You can also use some graphical tools like Portecle to generate CSR files or Self-Signed Certificates.
To get a CA (Certificate Authority) signed certificate from a CSR (Certificate Signing Request), you will need to follow these steps:
Step 1: Generate CSR Certificate Signing Request File (.csr)
Using any graphical or command based tool of your choice and available on your server; Generate a CSR on the server where the certificate will be installed. This will create a public and private key pair, and a CSR file (.csr) that will contain information about the certificate and the organization requesting it.
E.g. if you want to generate CSR File using OpenSSL, first run the below command to create a key file:
openssl genrsa -out demo.com.key 2048
The above command will generate a key file demo.com.key which we will use in the below command to generate CSR File demo.csr
openssl req -new -key demo.com.key -out demo.csr
Once you will run the above command for generating certificate signing request (CSR), you will be promoted to enter additional details including country, state, city, organization, organization unit, CN (common name), email etc.
Step 2: Submit CSR Certificate Signing Request File to CA to get Signed SSL Certificate
Once you have created a CSR File using step 1, next you need to submit the CSR to a CA. There are many well know CAs available and you can get your CA Signed digital certificate from any of those trusted CAs (e.g. DigiCert, GlobalSign). This can typically be done through their website, where you will be prompted to enter information about your organization and the certificate you are requesting to be signed.
The CA will then validate the information in the CSR, and if everything is in order, they will issue a signed certificate.
CSR Certificate Signing Request: CA Validations
When submitting the CSR to the CA, you will typically be prompted to provide additional information such as your organization’s contact details and the domain name(s) that the certificate will be used for. The CA will use this information to validate your organization and ensure that you are authorized to request a certificate for the domain in question.
The CA may also require you to verify your organization’s identity and domain ownership, this process is called validation. This validation process might include:
Email validation: the CA will send an email to an address associated with the domain, such as admin@example.com, to confirm that you have access to the email account.
Phone validation: the CA will call a phone number associated with the organization to confirm that you have access to the phone number.
Document validation: the CA may ask you to provide documentation that proves your organization’s identity and domain ownership, such as a copy of a business license or a utility bill.
Once the validation process is complete and the CA confirms your information, they will issue your certificate. The format of the certificate might be different depending on the CA and the type of certificate you are requesting, it could be .crt, .pem, .cer or .der
Step 3: Install CA Signed SSL Certificate on Server
Once you have received the signed certificate, you will need to install it on the server along with the private key that was generated when the CSR was created. The steps required for installing CA Signed Certificate may vary for different types of servers but it should not be a rocket science and steps should be easier to perform ! In general, SSL Certificate Installation on a Server, involves importing the certificate and private key into the server’s certificate store and configuring the server to use the certificate for secure communications.
After the certificate is installed, it can be used for SSL Based secure communications such as HTTPS.
Finally, you will need to install the certificate on the server.
Additional Important Points
It is important to mention here that in most cases, a certificate issued by a CA is based on SSL Chain of Trust where a root CA and one or more intermediate CAs are involved. You should always ensure that you install full chain of certificates in order to have valid SSL communication.
Please let me know in the comments section if you have any specific question on this process.
