Using StartSSL for Free Signed Certificates

For a long time now, i’ve used self-signed certificates to provide HTTPS access to my personal websites (including this one!), however, this does get on my nerves with the general nagging that browsers tend to do. Also, it breaks IMAP access on my PS Vita (I run my own mail server).

The other day, on my hunt for a free certificate provider, I found StartSSL which seems to do the job (and is accepted by all browsers, devices I have tested with so far). There’s a few steps to get going with StartSSL, the first being that you must obviously have control over the root domains you want certificates for and the ability to edit where email is going for them.

1. Signing up for StartSSL is relatively straightforward although to access the site, it provides you with a Client Certificate for your browser rather than relying on the traditional user/password method. This means if you wish to access from another browser, you need to import the certificate to that system.

2. Next, you will need to validate your domains are yours before you can create certificates for them. There’s a wizard for this but two things to note, validations are only valid for 30 days, so make sure you create all your certs in that time. Secondly, you must have control of one of the following email accounts on your domain to receive the validation links that are sent.

    [email protected]
    [email protected]
    [email protected]
   

3. Once validated, you can start creating certificates for your domain. Again, there is another wizard to accomplish this! There are two options for creating certs here. You can either provide a CSR to be signed (a method which I didn’t try) or generate the key and cert on StartSSL wholly. As I used the latter, I’ll walk through it. It’s important to note that certificates generated by StartSSL are only valid for 1 year before renewal.

   Using the StartSSL method, it will ask for a password to generate a Private Key. I used the default settings provided by the wizard for this. The key will be provided as text on the page so save it somewhere as something like ssl.key. Next, you will need to provide the subdomain you wish to create the certificate from and submit for approval. This was instant for the first certificate I created however I had to wait for approval for the rest (they say it can take up to 3 hours but it usually came back in 10 minutes). All certificates are also provided as plain text on the page and are available to download from the StartSSL control panel. I advise saving as ssl.crt to help follow the rest of these instructions better.

4. So now we’ve got a certificate and key, what do we do with it? I’ve used nginx as my web server and the following instructions show how to get the certs working with it (Note: I’ve stolen these from the StartSSL website to have everything in one place).

   First we decrypt the key with the password we used to create it

    openssl rsa -in ssl.key -out ssl.key.dec
   

   Next grab the CA and sub-CA certs for StartSSL as we need to include them

    wget http://www.startssl.com/certs/ca.pem
    wget http://www.startssl.com/certs/sub.class1.server.ca.pem
   

   Next we combine all of the certificates into one cert so the whole certificate chain is available.

    cat ssl.crt sub.class1.server.ca.pem ca.pem > ssl-unified.crt
   

5. Finally, we configure in nginx

    ssl on;
    ssl_certificate /path/to/ssl-unified.crt;
    ssl_certificate_key /path/to/ssl.key.dec;
   

Helpful tip for when it comes around to renewal time, you can use the following command to generate a CSR based on your current key and certificate for renewal.

openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key