This how to will explain how to create verified certificates using zeroSSL.
- A web server accessible from the internet.
- Admin rights to the web server.
This how to also applies to a Windows web server
The normal HTTP protocol is considered insecure for handling user data. To properly secure a website TLS / SSL certificates needs to be used, this ensures that the user data sent between the server and client over the internet is encrypted. For non-repudiation the certificates should be signed by a valid CA (certificate authority), normally to get the certificates signed by a CA it costs money, however zeroSSL provides these for free. The downside with these certificates is that they need to be renewed every once in a while, at current writing time every 90 days. This how to will explain how to get signed certificates. Another how to will explain how to use them in a real world use case.
Prepare the web server
This section applies to both windows and linux servers. First we need to prepare the web server locate and go to the webroot folder, create a new folder named ".well-known" without the "", the dot before the name is important. On linux the webroot is per default located under "/var/www/xxx/" and on Windows it's configured in the "config.php" file. One more thing, in a windows environment you might have to use the command prompt to create the ".well-known" due to the dot in the name. Next change directory to the newly created directory and create another folder named "acme-challange" once again without the "". Picture1 illustrates how the path should look once the folders are created. Request the certificates
Go to the website https://zerossl.com/ and press "Online tools - start". Next the webpage should look similar to Picture2. Enter a valid email address and your domain (no need to enter www just yet). Accept the ZeroSSL and Let's Encrypt SA as shown in Picture2 and press next. A window will pop up and ask if www-prefix should be included, Picture3 illustrates this. Now if the website is accessible using both "www.domain.com" and "domain.com" press yes, this will ensure that the certificates can be used for both the "www.domain.com" and "domain.com". This is however not always the case, some sites wishes not to include the www part or have it the other way around. So depending on the need chose yes or no. Now the CSR (Certificate signing request) will generate and this might take a moment, once done download the CSR file and press next. Now the key will be generated and as before it might take a little while, once they key has been generated download the key file and press next.
Depending on the earlier choice to include the www-preifx or not it'll look like picture4, if the www-prefix was chosen not to be included it'll only be one file to download and if it was chosen to be included 2 files will be shown, similar to Picture4. Download the file / files and transfer them to the web server, these 2 files needs to be in the "acme-challenge" (full path was illustrated in Picture1) folder that was created earlier. Once done test the links from zeroSSL (the 3 and 4 on Picture4), a web browser should open and the text should be readable, if successful press next.
A couple of errors that might occur:
1. If a error message pops up saying that there isn't enough permission to read the files then the permission needs to be modified in the "acme-challenge" directory.
2. If a error pops saying error 400, try to redo this how to. It appears to be a timer in the background (not confirmed) that times out if the request takes too long. Almost done now, read through this page and save the Account ID as it might be needed in the future. Lastly download the domain certificate and domain key and save these, these are the files that will prove that the web server is secure.