Not so good if you’re developing an SSL site on a development domain - for which CAcert certificates are precisely what the doctor ordered.
So how do you add the root certificates back into your development machine in the correct manner (and in particular avoiding the cardinal sin of shipping an entirely parallel set of root certificates with your application!
The signing authority will need to verify the validity of the request and that it was submitted by the entity to which the domain in the request is registered, usually done by contacting the administrative contact for the domain.
After validation, your signed certificate (crt) will be available for download.
HTTPS assumes that special CA (Certificate Authority) certificates are pre-installed in web browsers. Authoritatively signed certificates can be costly, for example, Verisign (the most well known CA) charges $1,499 per year for their recommended certificate.
If your SSL certificate is not signed by one of these CA's, the browser will display a warning: Turn Key appliances generate self signed certificates on first boot to provide an encrypted traffic channel, but because the certificates are not signed by a trusted CA, the warning is displayed. There are cheap alternatives (I recently purchased a certificate from Go Daddy for $12.99) as well as a couple of free providers.
First up is to create a certificate key and a certificate signing request (CSR). apt-get update apt-get install openssl # replace bold type with your info openssl req -new -newkey rsa:2048 -nodes -out www_example_-keyout www_example_-subj "/C=US/ST=Arizona/L=Scottsdale/O=Example Company Inc./CN= The above will generate two files, www_example_and www_csr.
Once you have signed up for an authoritatively signed certificate, you will be requested to upload the CSR file or its contents.