These days, pretty much every website has to use Secure Socket Layer or SSL technology to secure network traffic, but it wasn't always this case. In 2016, 14% of popular websites forced HTTPS connections, but a year later, that number had already more than doubled to 31%. Today, more than half of websites require HTTPS to be used when making a connection, which allows data sent back and forth to travel in a secure manner, using an encrypted connection that no adversary can listen in on.

It's hard to know where to start with an introduction to this material, but I'll be making references to the family of standards used in SSL, which are called the Public-Key Cryptography Standards (PKCS).

I've read a few textbooks to try and better understand SSL, and the place I felt it was explained best was Chapter 8.6 of the "Computer Networking: A Top-Down Approach (7th Edition)" by James F. Kurose and Keith W. Ross.


There are two common ways to encode the files containing certificates and keys:

  1. Privacy Enhanced Mail or PEM encoding, which uses a base-64 ASCII encoding of the ASN.1 format. Its implementation was specified in RFC 7468.

  2. Distinguished Encoding Rules or DER encoding, which is the shortest possible binary representation of the underlying cryptographic data. Much like PEM encoding, it too uses the ASN.1 format.




This is a walkthrough for creating certificate signing requests (CSRs) using either gpgsm or openssl.

Creating a Certificate Signing Request require a key. This key can be encoded in a variety of formats, including PKCS #1 and PKCS #8. using openssl

# Using PKCS #1 private key
openssl req -new -key id_pkcs1 > REQUEST.CSR

# Using PKCS #8 private key
openssl req -new -key id_pkcs8 > REQUEST.CSR

If this certificate was ever compromised, you would issue a revocation certificate. I'm not sure what you do next, however, it's unclear to me whether you'd want to update a certificate revocation list or to update the certificate authority's responder facilitating Online Certificate Status Protocol (OCSP) transmissions.


The certbot command, provided by GNU Let's Encrypt, allows you to obtain a signature for use with SSL. You can either allow the certbot program to create its own private key locally, or provide one manually. certbot can submit a Certificate Signing Request or CSR to a Certificate Authority or CA.

After you've done this, you'll receive three files

Go ahead and delete the first two, you'll only need 0001_chain.pem, which is a simple concenation of the previous two files. It's the combination of the server certificate and the intermediate certificate, which when used together, allow you to verify your identity

rm 0000_cert.pem 0000_chain.pem
mv 0001_chain.pem fullchain.crt