There is only one way I know of to get free functional legitimate SSL encryption for your web server, and that’s through StartCom’s StartSSL service. You can get a free “class 1” certificate that will work out of the box in Firefox and Safari. Microsoft hasn’t added StartCom to IE, so people browsing to your site will have to specifically add StartCom’s authority certificate (instructions) (or ignore security warnings).
UPDATE: I am told as of Sept ’09, IE will include StartCom, yay! See comments for more…
Every year I have to renew my websites’ certificates, and the process is a bit clunky. Here’s a summary for next time around…
- Sign up at the site; they will issue an [S/MIME client certificate] and “install it into your browser”; make sure you keep the stupid thing backed up, it’s the ONLY WAY BACK IN to your account! Here are backup instructions from their FAQ:
Firefox: Select "Preferences" -> "Advanced" -> "Encryption" -> "View Certificates -> Your Certificates" and locate your certificate from the list. The certificate will be listed under StartCom Ltd. with "StartCom Free Certificate Member" as its name if this is your first one. Select the certificate and click on "Backup", choose a name for this backup file, provide a password and save it at a known location. Now you should either burn this file to a CD ROM or save it on a USB stick or smart card. Thereafter delete this file from your computer. - Every year, request to renew your S/MIME client certificate, as it expires; back it up to a safe place
- Request to renew your domain certificate; provide a password; an ssl.key is generated
- Use openssl to create a no-password key:
openssl rsa -in ssl.key.passphrase -out ssl.key.nopassphrase - Grab the official StartCom certificates from https://www.startssl.com/certs/
sub.class1.server.ca.pem
ca.pem - WAIT for confirmation of your certificate (you’ll get an email)
- Return to the website, log in, go to Tool Box -> Retrieve Certificate, save as ssl.crt
- Set up apache to use ’em!
SSLEngine on SSLCertificateFile /path_to_certs/2009-2010/ssl.crt SSLCertificateKeyFile /path_to_certs/2009-2010/ssl.key SSLCertificateChainFile /path_to_certs/2009-2010/sub.class1.server.ca.pem SSLCACertificateFile /path_to_certs/2009-2010/ca.pem
That’s the basics but it should be enough to help me through annual renewal. *sigh*…
