Cyber-Security Web Servers

An Explanation of Certificate files, Keys and Certificate Signing Requests

To have a website secured with SSL, the administrator needs to generate some files, send them off to an authority, get more files back and put them on the server where they are used to provide the security of SSL. Just FYI, we use TLS these days, not SSL. But the terms in conversation are generally interchangeable. But be careful.

First you need to generate the CSR (certificate signing request) and the KEY. CSR stores the domain name, contact details and other details that the certificate authority (like GoDaddy, Comodo, etc) is going to vouch for. The KEY is just a key file which remains private and you don’t give it to anyone. The KEY is used to decrypt the CRT when the web server starts. Without the KEY, the CRT wont work. The CSR is what you provide to the certificate authority (sometimes called the “CA”).

Once you’ve provided the CSR file to the certificate authority, you will (shortly later) receive a signed CRT (certificate) back from the certificate authority. You’ll probably receive the CRT in a “bundle” including the certificate and intermediate certificate.

Now we have the files: CSR, KEY and CRT. The CSR is not used any further. Keep it safe somewhere. The KEY and CRT are put on the web server in a safe location. Those files are used by the web server software (such as Apache or NginX) to provide the SSL capability. Those two files need to be copied/moved to the web servers that need to provide SSL services.

Keep the KEY safe and secure on the server. Put the CRT and KEY on the web server when you’re ready to configure the web server for SSL.

  • TIP: Sometimes we combine the CRT and intermediate CRTs into a single file.
  • TIP: Windows IIS server use a format called “pfx” which is a data format, not text like the files mentioned above.
  • TIP: Sometimes the KEY file has a password associated with it, and sometimes it doesn’t. Whoever created the KEY and CSR will decide this before sending the CSR to the certificate authority.

Leave a Reply

Your email address will not be published. Required fields are marked *