-
The Hostname on which Certificate is to be deployed should be known by cleint.
-
The hostname along with domain should be known. That would be FQDN (Fully Qualified Domain Name) of the Hostname.
-
The FQDN would then be given to Certificate Authority (
- Comodo SSL (Now Sectigo),
- Sectigo SSL.
- DigiCert SSL.
- Symantec SSL.
- RapidSSL.
- GeoTrust SSL.
- Thawte SSL.) along with Certificate Signing Request.
-
The Certificate Signing Request has to be generated by the Admin of Server.
-
The certificate should not be Self Signed by Organziations, rather it should be bought from Certificate Authorities.
-
The Certificate could be (Domain Validated Certificate, Organization Validated, and Extended Validated). The later two would take longer time, but it's more authentic. Read up more here (https://neilpatel.com/blog/ssl-certificate-guide/ )
-
Please make sure, that the certificate to be bought, should be TLS 1.2 enabled, supporting TLS 1.3 and have at least AES_GCM Algorithm support for the Server Validation
-
Once you get the certificate, you would receive a zip file containing (*.pem, *.key and / or *.cert / *.crt along with *.key). Other formats could easily be generated by the combination of the files explained.
-
The cleint could also choose to go for Wild Card Certificates, which means, one would keep the domain name constant, and can deploy one certificate to many machines / hostnames. It's FQDN is usually *.DomainName.com
One could read more about Certificates here.
https://www.cloudflare.com/learning/ssl/types-of-ssl-certificates/