What is SSL?
SSL means Secure Sockets Layer and it has the objective of protecting (via encryption) your communication over the internet.
If you use internet banking, you should be familiar with seeing a "Lock" icon on your browser, indicating that your communication is secure. This is usually done automatically when you access your bank website using httpS instead of the normal http. This happens because the browser identifies that the server is using a SSL certificate issued by trustful company (called Certification Authority - CA). You can create own your SSL certificate (instead of one issued by a CA) but the browsers would not recognize you as one of their trustful companies, so even thought the communication will be encrypted, the "lock" icon will not appear and probably an alert will be given by the browser to notify the user about that.
So, having a SSL certificate issued by a CA is the best way to show to the users/visitors of your website that their communication is secure and your website belongs to you.
Types of SSL Certificates
To have a SSL certificate issued by a CA, you just need to go to a CA website or one of its representatives (usually the Domain Providers are) and buy one. The CAs sells different types of Certificates, each one with different objectives and types of verification and even warranty.
For our purposes, we will restrict ourselves to Domain Validation purposes, that is when you just want to have your domain using a SSL Certificate issued by CA without further validation (like Organization validation).
A SSL Certificate can be issued to validate 1 domain (like www.redbeachgames.com) or several domains. So, CAs have several packages with different prices. One package that is pretty common is the Wildcard SSL certificate, that is when 1 SSL certificate can be used for validating any subdomain variation, like redbeachgames.com, www.redbeachgames.com, news.redbeachgames.com,.... Usually we indicate wildcard domain using "*" as *.redbeachgames.com.
Prices of a SSL Certificate issued by CA
SSL Certificate price varies a lot among CAs. So, I recommend you to do a extensive search to find the best cost-benefit for you.
The place that I found to have the best price was on Namecheap that is a Domain Provider that sells SSL certificates issued by several CAs like Comodo, Verisign,... The SSL certificate is totally independent from where is your domain is parked, so you can have a domain from GoDaddy and buy the SSL Certificate from Namecheap, after all, what matter is the CA issuing the SSL Certificate and the provider that is running your webserver/webpage.
Just to give you a range of price, you can buy a single domain validation for ~9/year or a wildcard domain validation for ~$95 / year.
You may think: "So, if I have 10 different subdomains or less, it is better to buy separate certificates instead of 1 wildcard certificate". That might not be true. Some website providers also charge you for using SSL. Example, right now Windows Azure charges $9 per month (prorated hourly) per certification. Besides that, having several certificates just add more work, since you will have to manage them all separately.
How to add a SSL Certificate to my website:
The overall process is:
1) Choose a SSL Certificate package from a CA
2) Create a CSR (Certificate Signing Request) on your local machine
2) Send the CSR to the CA (Certification Authority - the company that will create your SSL certificate)
3) The CA will send you the Certificate. Now, you just need to configure your server to use it.
So, let's go the step by step tutorial:
1) Choose a SSL Certificate package from a CA
Prices varies a lot. I found that if you buy the SSL directly from the CA website you might not get the best price. Usually Domain Providers sells SSL issued by CAs and they have a better price.
As mentioned before, the place that I found to have the best prices was Namecheap. And their customer support is also great.
2) Create a CSR (Certificate Request) on your local machine
On your MAC (if you use Windows, click here and follow the instructions of "Get a certificate using Certreq.exe"), open your terminal and type:
State or Province Name (full name) [Some-State]:Rio de Janeiro
Locality Name (eg, city) []:Niteroi
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Red Beach Games Ltda
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:*.redbeachgames.com
Email Address []:[email protected]
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []:
3) Send your CSR to your CA
This is step is usually pretty simple. Usually the company from you bought the SSL certificate (the CA or its representatives like Domain Providers - GoDaddy, Namecheap,...) will ask you to upload or simply paste the CSR content on its page.
If you used the command above, your CSR will be the file server.csr.
4) Configure your web server to use the SSL Certificate
Each server has its own way of being configured to use the SSL, so I suggest you to look on your server provider for instructions.
If you are using a Windows Azure Website, you can find the instructions here.
That is it. Hope that you find this tutorial useful. If you want to know more about a specific tech/mobile topic, just let me know on the comments.
SSL on Azure Web sites: http://www.windowsazure.com/en-us/documentation/articles/web-sites-configure-ssl-certificate/
CSR generation on different systems:
https://support.comodo.com/index.php?_m=knowledgebase&_a=view&parentcategoryid=33