Self signed and trusted SSL certificates
Keeping it simple, HTTPS is a combination of the HTTP and SSL/TLS protocols, which provides encryption while authenticating the server. The main idea is to create a secure channel over an insecure network, ensuring "reasonable" protection from eavesdroppers and man-in-the-middle attacks.
HTTPS assumes that special CA (Certificate Authority) certificates are pre-installed in web browsers. If your SSL certificate is not signed by one of these CA's, the browser will display a warning:
TurnKey appliances generate self signed certificates on first boot to provide an encrypted traffic channel, but because the certificates are not signed by a trusted CA, the warning is displayed. In most cases, this is acceptable. If it's not, go get a signed certificate.
Authoritatively signed certificates
Authoritatively signed certificates can be costly, for example, Verisign (the most well known CA) charges $1,499 per year for their recommended certificate. There are cheap alternatives (I recently purchased a certificate from Go Daddy for $12.99) as well as a couple of free providers.
Generate key and CSR
First up is to create a certificate key and a
certificate signing request (CSR). This can be done with OpenSSL.
Submit the CSR
The above will generate two files, www_example_com.key and www_example.com.csr.
Once you have signed up for an authoritatively signed certificate, you will be requested to upload the CSR file or its contents.
Verify the request
The signing authority will need to verify the validity of the request and that it was submitted by the entity to which the domain in the request is registered, usually done by contacting the administrative contact for the domain.
Further steps may be required when requesting an Extended Validation (EV) certificate, which color the address bar green in recent browsers.
Download signed certificate
After validation, your signed certificate (crt) will be available for download. Most likely your signing authority will include an intermediate CA certificate bundle (trust chain).
Note: you should make a backup of all SSL related files.
Generate PEM and placement
Generate the pem from the key and crt
Place the generated pem and intermediate bundle (eg. bundle.crt) in /etc/ssl/certs/, and make them read-only to root.Source: www.turnkeylinux.org