Obtaining a certificate

The default method to obtain a digital certificate for your organization, start-up, or website is to buy the service of verifying your identity and issuing a certificate from a certificate authority provider. As we mentioned earlier, there are multiple certificate authority providers. A list of the most popular providers can be found in Wikipedia at: https://en.wikipedia.org/wiki/Certificate_authority#Providers

There are also certificate authorities who provide the service for free. For example, in 2016, the Mozilla Foundation along with the Electronic Frontier Foundation and the University of Michigan collaborated to found a certificate authority called Let's Encrypt, which can be found at: https://letsencrypt.org/. Let's Encrypt is a free service that performs the validation, signing, and issuing of certificates in an automated fashion. 

That sounds great. However, what if we just want to test some local web application such as the event's microservice we built in the preceding chapter? In this case, we will need a more straightforward way to generate certificates that we can work and test with. Then, after that, when we deploy to production, we can use a trusted certificate authority to issue certificates for us that will be respected by web browsers and clients connected to the internet.

The straightforward approach to generating certificates for our testing, in this case, would be to manually create our own certificates and self-sign them. The advantage of this is that we can generate numerous certificates to use in our internal testing without getting through a verification process. The disadvantage, however, is the fact that any third-party web clients, such as web browsers, that would try to connect to our web applications via our self-signed certificates would not identify the issuer of those certificates and hence will generate a lot of warnings before allowing us to proceed.

To generate our newly minted self-signed digital certificates, we will need to use specialized tools that understand the algorithms enough to create the necessary outputs. Remember that in order to initiate an HTTPS session, we need the following:

• A digital certificate which will contain the following:
  • A public key that can be shared with other parties.
  • The server name or domain name who owns the certificate.
  • The issuer of the certificate. In case of a self-signed certificate, the issuer would just be us. In case of a certificate issued by a trusted certificate authority, the issuer will be the CA.
• A private key that we need to keep a secret and not share with anyone