In the part 1 of this series, I described the basics around SSL. In part 2 how to create self-signed certificates. In part 3, I described how to run your own certificate authority (CA). Now, we will cover the real use case which is getting a real certificate for your server.
What is the difference between your own CA and a real CA?
Technically, none. From the trust point of view, a real CA is a company that is well known by everyone involved in how to keep their keys safe and how to validate the identity of their users. The best metaphor for me is notarial services, or government documents.
Another key difference is that major OS vendors will ship the root certificates of well known CA (Verisign, Docusign, etc) with their OS updates. That is what makes end users not getting annoying messages when they use real certificates. And that’s why in the part 3 of this series, you had to add the Root CA certificate to the “trusted”, because the OS does not do that for you by default. And that’s why you will find there a lot of certificates that you didn’t install by yourself.
Requesting a Certificate
Here we have the same scenario described on part 3 and exaclty the same process. You will request a new certificate on IIS, fill the common name (very important). In real CA’s they will probably force you to fill your city, your company name, etc. with real values, otherwise they will deny your request.
Once you get the certificate request, you will have to follow your CA process. Usually they will have some kind of web app where you will post the content of the file.
Getting the signed certificate back
The CA will send you back a public certificate signed back. Remember, PUBLIC. Your private key is private and should be kept by you. You should again go back to your web site and then “Complete Certificate Request”. Select the .CER your CA signed. It is really important that you import back the .CER in the same machine you generated the request. The reason behind this is that you have the private key on that machine. Then you can keep your private/public key together. If you need to save/backup that private key, you can export the full certificate with public/private key if you need to restore the machine.
Connecting to the Web Server
Now if you just connect to your server through https you should happily get no annyoing messages and without needing to trust your CA.