Free SSL Certificates!

Submitted by Ray on Sat, 01/07/2012 - 7:54pm

Since I set up Drupal, I thought it should be on a secure server.  After all, shouldn't everyone have their own secure server?

I just found a real SSL Certificate for free.  Not the snake oil cert packaged with apache, not from some untrusted CA, but the real deal.  StartSSL gives out free SSL certs.

Now when I go to https://www.pitmon.com and click on the padlock, I get this:

Here's what I did:

  1. Create an account on startssl.com.  (Use FF, since they make you install a certifcate in the browser to identify yourself, which isn't supported in Chrome for some reason.)
  2. On the server, create a CSR and key, all in one step:
    • openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
  3. Go back to StartSSL, validate my domain (it looks like it got an email off the whois record, which once selected, was sent a confirmation code).
  4. Once the domain is validated, go into Certificates wizard, skip the CSR part, paste the server.csr contents into the page when asked.
  5. It'll ask for a subdomain.  I entered 'www'.
  6. It should give you a certificate.  Copy and paste it into a file (like server.crt).  Also download the two intermediate certificates they have linked.

All that's left is to configure Apache.  Something like this should do the trick:

NameVirtualHost *:443
<VirtualHost *:443>
        SSLEngine On
        SSLCertificateFile /etc/apache2/server.crt # this is the file from startssl
        SSLCertificateKeyFile /etc/apache2/server.key # this is the file created as part of the CSR
        # these two are supplied by StartSSL
        SSLCertificateChainFile /etc/apache2/sub.class1.server.ca.pem
        SSLCACertificateFile /etc/apache2/ca.pem
        .. the rest of a normal vhost config ..
</VirtualHost>

StartSSL only gives away Class 1 certificates, which apparently are to be used for individual identification (for email?). However, all the browsers I tried (FF, Chrome, Safari, Links, cURL, even IE) confirmed the identity and the connection was encrypted.  None complained about not recognizing the CA.

Remember to include the SSLCertificateChainFile and SSLCACertificateFile in your config.

Tags: 
ssl
startssl
apache
fr
  


  
   






  
  
      
Add new comment

    

  
 




  
 




  
 






More information about text formats
Plain text
  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.







CAPTCHA
Enter the words below to submit your comment.