SSL Certificates

To run a webserver securely using a properly signed certificate (not self signed) you need to buy a proper certificate through one of the companies listed with a root certificate (meaning your browser recognises them as a legitimate certificate authority)


If you don’t plan to sell anything, or your customers don’t mind installing the root certificate, CAcert will issue free certificates. They’re quite useful on things like mail servers, VPNs and Intranets.


For a wide range of SSL certificates from as little as £8 per year (RapidSSL, SBS and GeoTrust) visit

Cheap as chips certificates can also be bought through

For a potentially more trustworthy cert Thawte or Verisign also sell certificates.

Certificate Signing Request

To actually make the purchase you’ll need to generate a CSR (Certificate Signing Request) on the webserver which will host the SSL site.

Each webserver handles this differently but on Apache with mod_ssl/openssl you can do a:

openssl req -new -nodes -keyout -out

On IIS there is a wizard to generate the CSR.

Now enter all of your details in, be careful with the Company Name field as this should match exactly the name the domain (e.g. is registered to. Otherwise you’ll have to send in some docs to the Cert Authority to prove who you are…

Also note that the Common Name is the actual name of the secure host you are buying (e.g.

Once you have created the CSR and Key, keep the Key safe somewhere and submit the CSR during the purchase of your cert.
On IIS this is not automatic. See
If you ever need to re-install or move the certificate the Key is essential – without it you may have to buy a new certificate.

Also for a good list of intructions for many different OS/Control Panel systems visit

Features of SSL

SSL Features

HOWTO: Set Up SSL Using IIS 5.0 and Certificate See