StartSSL.md

How to get a free StartSSL.com SSL certificate

I'm writing this up from memory, so errors may appear.

Start

1. Go to http://www.startssl.com/
2. Click on 'Control Panel'
3. Click 'Express Lane'

Identity validation

4. Fill in the form, submit
5. Check your email for the validation code, enter it, submit
6. You'll get a client-side certificate, valid for 1 year, installed in your browser's storage. Think of it as your StartSSL account password. Make a backup.

Domain validation

7. Enter your domain name
8. Choose which email address you'll want to validate (postmaster@, hostmaster@, or webmaster@)
9. Check your email for the validation code, enter it, submit

Certificate generation

10. Skip the generation step on the startssl website because you'll do it on your server directly
11. On your Linux machine, create a req.cfg for OpenSSL so you won't have to answer questions repeatedly:

[ req ]
default_bits            = 2048
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
prompt                  = no

[ req_distinguished_name ]
countryName                     = LT
stateOrProvinceName             = .
localityName                    = Vilnius
organizationName                = Vardenis Pavardenis
organizationalUnitName          = .
commonName                      = example.com
emailAddress                    = [email protected]

12. openssl req -config req.conf -newkey rsa:2048 -nodes -keyout subdomain.example.com.pem -out subdomain.example.com.csr
13. chmod 600 subdomain.example.com.pem -- this is your private key, keep it secret!
14. copy the text from subdomain.example.com.csr into the StartSSL web form, submit
15. choose the validated domain from step 7 (example.com), choose the desired subdomain
16. copy the text of the certificate into a file called subdomain.example.com.crt

Installing the certificate into Apache on Ubuntu/Debian systems

17. copy/move subdomain.example.com.crt into /etc/ssl/certs/ on your web server
18. copy/move subdomain.example.com.pem into /etc/ssl/private/ on your web server
19. download https://www.startssl.com/certs/sub.class1.server.ca.pem
20. copy/move the downloaded sub.class1.server.ca.pem into /etc/ssl/certs/startssl-class1-intermediate.crt
21. put this in your Apache config (e.g. inside a <VirtualHost *:443> directive):

    SSLCertificateFile /etc/ssl/certs/subdomain.example.com.crt
    SSLCertificateKeyFile /etc/ssl/private/subdomain.example.com.pem
    SSLCertificateChainFile /etc/ssl/certs/startssl-class1-intermediate.crt

22. sudo a2enmod ssl
23. sudo apache2ctl configtest && sudo apache2ctl graceful

Verification

24. openssl s_client -connect subdomain.example.com:443 -servername subdomain.example.com -CApath /etc/ssl/certs < /dev/null
25. visit https://www.ssllabs.com/ssltest/analyze.html and test it there too

Certificates for multiple subdomains

26. Be sure to edit /etc/apache2/ports.conf and make sure it contains NameVirtualHost *:443
27. Go to startssl.com, click 'Control Panel', choose the 'Certificate Wizard' tab, ask for a new web server certificate.
28. Generate a new CSR and a new certificate, install it as per the above (steps 10--25).

Notes:

• this requires SNI, which means users stuck with Windows XP or Internet Explorer 6 will not be able to see the right certificates and may get scary security warnings
• to get a wildcard certificate or a single certificate valid for multiple subdomains you have to perform Class 2 identity verification (i.e. send StartSSL $59.90 and also scans of two different valid photo IDs, e.g. passport and driver's licence)

Certificates for multiple domains

Same as above, except you also need to perform domain validation again.