Install an SSL certificate on a managed hosting server

In this guide, we show you how to install an SSL certificate on a server with managed hosting. The guide covers both installing a traditional certificate from a commercial Certificate Authority and installing a certificate issued by Let’s Encrypt.

Installing a traditional certificate

To purchase a certificate, you first need to generate a CSR (Certificate Signing Request) file. You use the CSR when buying a certificate from a Certificate Authority (CA), so you must have created one in step 1. The CSR contains information about the organization to which the certificate will be issued. It also includes the public key, which, together with a private key, forms a key pair. The private key is generated at the same time as the CSR, and SSL/TLS security relies on keeping the private key secret. Therefore, the recommendation is that the private key never leaves the server on which it was generated. Moreover, the private key is paired with the public key in the certificate, so if you lose the file, the certificate becomes unusable, and you’ll need to purchase a new one.

Generate a CSR on a managed hosting server

glesys_csrgen

### IMPORTANT ###
if you request a certificate for both top domain and
the subdomain www use "www.domain.tld" as your common name
#################

Country Name (2 letter code): SE
State or Province Name (full name): Halland
Locality Name (eg, city): Falkenberg
Organization Name (eg, company): GleSYS Internet Services AB
Organizational Unit Name (eg, section): IT
Common Name (e.g. server FQDN or YOUR name): www.glesys.se
Email Address: [email protected]

#################
CSR is located in ~/.sslcerts/www.glesys.se

Use The Certificate below if these settings are correct

Country Name (2 letter code): SE
State or Province Name (full name): Halland
Locality Name (eg, city): Falkenberg
Organization Name (eg, company): GleSYS Internet Services AB
Organizational Unit Name (eg, section):  IT
Common Name (e.g. server FQDN or YOUR name): www.glesys.se
Email Address: [email protected]
#################

-----BEGIN CERTIFICATE REQUEST-----
MIIE5zCCAs8CAQAwgaExCzAJBgNVBAYTAlNFMRAwDgYDVQQIDAdIYWxsYW5kMRMw
EQYDVQQHDApGYWxrZW5iZXJnMSQwIgYDVQQKDBtHbGVTWVMgSW50ZXJuZXQgU2Vy
..
..
dmljZXMgQUIxCzAJBgNVBAsMAklUMRYwFAYDVQQDDA13d3cuZ2xlc3lzLnNlMSAw
5u9pumVY+TsOKps=
-----END CERTIFICATE REQUEST-----

Purchase a certificate

Once you’ve generated the CSR and private key, it’s time to purchase a certificate.

Some providers you can choose from:

• https://www.instantssl.com/

• https://www.globalsign.com/

• https://www.comodo.com/

• https://www.thawte.com/

With your certificate provider, you upload the contents—including the BEGIN CERTIFICATE REQUEST / END CERTIFICATE REQUEST block—following the provider’s instructions. A common question you’ll need to answer is which service you’ll use the certificate with; select apache2+modssl. If anything is unclear, contact the provider’s support. Once the purchase is complete, you’ll receive information and a ZIP file containing the certificate in PEM format together with any intermediate certificates.

An intermediate certificate (sometimes called a chain certificate) is required to complete the trust chain when your CA does not sign your certificate directly with its root certificate.

After you receive your certificate, upload it to an appropriate location in your home directory on the server. Then notify us, and we will install the certificate for you.

Install a Let's Encrypt certificate

Let’s Encrypt is a service that automates the steps described above and provides the certificate for free. These certificates merely validate that your domain actually points to the correct server and must be renewed every three months. From a cryptographic standpoint, however, they are just as secure as a certificate issued by a commercial Certificate Authority and are more than sufficient for most use cases.

Implementation of Let's Encrypt

The only requirement for us to install Let’s Encrypt for you is that the domain points to the server that will issue the certificate. If it does, contact us at [email protected] and we’ll take care of the installation.