Geek Answers Handbook

SSL Certificate

I am creating a buy system and I was told to configure an SSL certificate on my web server to work with banking operations.

I am new to this and I don’t quite understand the difference between OpenSSL (which is free and opensourced) and the SSL certificates you need to buy (thawte.com).

I think OpenSSL is a bit of a tool for creating keys (ive alredy did it for firstdata.com), but if I buy an ssl certificate on thawte.com and install it, do I have my https website?

Can I use free openSSL to work with banks? Or should I buy one?

+7
ssl openssl
source share
3 answers

The biggest difference between a self-issu certificate (with OpenSSL) and the one you buy from thawte (or somewhere else) is trust . If you want your users to access the ssl-enabled website without asking, "Do you trust the certificate from this issuer?" You need to buy a certificate from a trusted certification authority such as thawte or one of the others .

Your website will work via https with any old x.509 certificate, so if you only have a few people who access your ssl website, you can convince them to trust their self-public certificate and save money on the certificate.

+13
source share

OpenSSL is a tool and library that can be used to create certificate requests (CSRs), self-signed certificates, and issue certificates from a CA (if it is a CA that you manage, of course).

Most browsers have several trusted certification authorities. They issue certificates by signing the certificate they give (based on your certificate request). In turn, the certificates they issue can be verified by your users ’browsers against their (issuing) CA ​​certificate, since it comes with them by default.

You can create your own CA certificates and issue certificates yourself, but the problem is that your default CA certificate will not be used by default in most browsers, so it is useless if you do not make your users explicitly imported (which is great for corporate CA, for example, but in principle impractical). A self-signed certificate is a special case: it generates a CA root certificate or a one-time certificate for this machine; In any case, you will have to import it explicitly.

Some pre-trusted CAs will allow you to use OpenSSL to generate a certificate request as part of their procedure, but they may also offer other procedures based on other tools. Which tool you or they use does not really matter. What you want is a certificate issued by a CA that your remote side trusts.

+5
source share

You can register for free and get a free SSL certificate for your website, at least during the first year, on StartSSL . Weekend service is shown on their website, but it will be available later. I managed to get a free SSL certificate from them. This certificate is signed by the Startcom certification center, which was trusted according to their website .

+1
source share

More articles:


All Articles