BAH THEY DONE FUCKED UP

  • StartCom sold out and let WoSign buy them up
  • WoSign backdated certs to get them grandfathered for some dumb reason
  • Mozilla and Google and Apple caught them and dropped support for them
  • alternativeto.net/software/startssl pointed me to Let’s Encrypt – LOOKS GOOD
  • there is also https://www.sslforfree.com/ which is a layer around Let’s Encrypt (no need? we’ll see…)

The king is dead, long live the king!

  • Whoa… it uses a BOT… from EFF.  Yay!
  • Whoa… certs are only good for 90 days!  Time to automate renewal!

Let’s take this to the wiki

 

There is only one way I know of to get free functional legitimate SSL encryption for your web server, and that’s through StartCom’s StartSSL service. You can get a free “class 1” certificate that will work out of the box in Firefox and Safari. Microsoft hasn’t added StartCom to IE, so people browsing to your site will have to specifically add StartCom’s authority certificate (instructions) (or ignore security warnings).

UPDATE: I am told as of Sept ’09, IE will include StartCom, yay! See comments for more…

Every year I have to renew my websites’ certificates, and the process is a bit clunky. Here’s a summary for next time around…

  • Sign up at the site; they will issue an [S/MIME client certificate] and “install it into your browser”; make sure you keep the stupid thing backed up, it’s the ONLY WAY BACK IN to your account! Here are backup instructions from their FAQ:
    Firefox: Select "Preferences" -> "Advanced" -> "Encryption" -> "View Certificates -> Your Certificates" and locate your certificate from the list. The certificate will be listed under StartCom Ltd. with "StartCom Free Certificate Member" as its name if this is your first one. Select the certificate and click on "Backup", choose a name for this backup file, provide a password and save it at a known location. Now you should either burn this file to a CD ROM or save it on a USB stick or smart card. Thereafter delete this file from your computer.
  • Every year, request to renew your S/MIME client certificate, as it expires; back it up to a safe place
  • Request to renew your domain certificate; provide a password; an ssl.key is generated
  • Use openssl to create a no-password key:
    openssl rsa -in ssl.key.passphrase -out ssl.key.nopassphrase
  • Grab the official StartCom certificates from https://www.startssl.com/certs/
    sub.class1.server.ca.pem
    ca.pem
  • WAIT for confirmation of your certificate (you’ll get an email)
  • Return to the website, log in, go to Tool Box -> Retrieve Certificate, save as ssl.crt
  • Set up apache to use ’em!
    
        SSLEngine on
        SSLCertificateFile /path_to_certs/2009-2010/ssl.crt
        SSLCertificateKeyFile /path_to_certs/2009-2010/ssl.key
        SSLCertificateChainFile /path_to_certs/2009-2010/sub.class1.server.ca.pem
        SSLCACertificateFile /path_to_certs/2009-2010/ca.pem
    

That’s the basics but it should be enough to help me through annual renewal. *sigh*…