There is only one way I know of to get free functional legitimate SSL encryption for your web server, and that’s through StartCom’s StartSSL service. You can get a free “class 1” certificate that will work out of the box in Firefox and Safari. Microsoft hasn’t added StartCom to IE, so people browsing to your site will have to specifically add StartCom’s authority certificate (instructions) (or ignore security warnings).

UPDATE: I am told as of Sept ’09, IE will include StartCom, yay! See comments for more…

Every year I have to renew my websites’ certificates, and the process is a bit clunky. Here’s a summary for next time around…

  • Sign up at the site; they will issue an [S/MIME client certificate] and “install it into your browser”; make sure you keep the stupid thing backed up, it’s the ONLY WAY BACK IN to your account! Here are backup instructions from their FAQ:
    Firefox: Select "Preferences" -> "Advanced" -> "Encryption" -> "View Certificates -> Your Certificates" and locate your certificate from the list. The certificate will be listed under StartCom Ltd. with "StartCom Free Certificate Member" as its name if this is your first one. Select the certificate and click on "Backup", choose a name for this backup file, provide a password and save it at a known location. Now you should either burn this file to a CD ROM or save it on a USB stick or smart card. Thereafter delete this file from your computer.
  • Every year, request to renew your S/MIME client certificate, as it expires; back it up to a safe place
  • Request to renew your domain certificate; provide a password; an ssl.key is generated
  • Use openssl to create a no-password key:
    openssl rsa -in ssl.key.passphrase -out ssl.key.nopassphrase
  • Grab the official StartCom certificates from https://www.startssl.com/certs/
    sub.class1.server.ca.pem
    ca.pem
  • WAIT for confirmation of your certificate (you’ll get an email)
  • Return to the website, log in, go to Tool Box -> Retrieve Certificate, save as ssl.crt
  • Set up apache to use ’em!
    
        SSLEngine on
        SSLCertificateFile /path_to_certs/2009-2010/ssl.crt
        SSLCertificateKeyFile /path_to_certs/2009-2010/ssl.key
        SSLCertificateChainFile /path_to_certs/2009-2010/sub.class1.server.ca.pem
        SSLCACertificateFile /path_to_certs/2009-2010/ca.pem
    

That’s the basics but it should be enough to help me through annual renewal. *sigh*…

4 Comments

  1. David says:

    As of the end of September 2009, Microsoft has added support for the StartSSL root certificate (including enabling it for EV, if you have an EV StartSSL certificate).

  2. […] virtual hosting restrictions. I do a LOT with my one little IP and my one little server (including truly free truly legit SSL), but I cannot host more than one SSL virtual site on port 443. Just “the way things […]

  3. Marisa Soroa says:

    I have to tell you that it’s hard to find your posts in google, i found this one on 11
    spot, you should build some quality backlinks in order to rank your
    site, i know how to help you, just search in google – k2 seo tips and tricks

Leave a Reply