StartCom
NOTE: THIS IS NOW DEPRECATED, see SSL certificate instructions instead. Browser support for StartCom was dropped in 2017 after they were acquired by Chinese WoSign.
I am using free certificates from StartCom, http://startssl.com/ They have a 1-year validity and therefore require annual renewal.
INSTRUCTIONS
1) browse to https://www.startssl.com 2) click on Control Panel, Authenticate
If the browser does not already have a valid certificate to identify you (from a previous session), you will not be authenticated. To get a new certificate to identify you: Click Sign-up and re-enter details. Use [email protected] (or other valid domain). You'll get a code to verify email, use it. Then, you might have to wait to get the browser certificate. You will receive a link and a passcode; click the link and enter the passcode and a cert will be installed in the browser. You can back this cert up, but honestly it's only good for a year and more often it ends up of not much reuse value. I try to stick with wimpy-windows firefox, and sometimes the key is cached and reworks.
3) From the Control Panel, validate each domain through the Validation wizard. Requires email confirmation with webmaster@____
Do domain name validations for these four base domain names: x ssl.thedigitalmachine.com x ssl.thedigitalage.org x ssl.abettersoftware.com x ssl.bitpost.com
4) Create web server SSL/TLS Certificates
It's easy enough to let startssl generate the keys (but do it locally if you have time? see below)... pw = (see private.txt) keysize = high (4096) algo = SHA1 (Default) generate private... save as ~m/config/StartCom/(site)/(year, eg 2014-)/ssl.withpassword.key create no-password key with: openssl rsa -in ssl.withpassword.key -out ssl.key wait for email re: approval, then get ssl.crt from toolbox, save to same place x ssl.abettersoftware.com x ssl.bitpost.com x ssl.thedigitalmachine.com x ssl.thedigitalage.org Put new ones here (eg): /home/m/config/StartCom/bitpost.com/2014-/ Ideally we'd make them readable ONLY by apache, but I am keeping a backup in git, so use: sudo chmod -R 770 *
5) Update apache to use new certs
a) stop apache b) move existing certs in /home/m/config/StartCom/(domain)/ out to (eg) (domain)/2013-/... (this may not be needed if a copy is already there) c) move new certs from (eg) /2014-/... up one dir to the base (where apache is looking) d) restart apache and make sure it's happy (watch startup warnings, browse to each site)
NOTE here is what Apache needs: SSLCertificateFile /home/m/config/StartCom/bitpost.com/ssl.crt SSLCertificateKeyFile /home/m/config/StartCom/bitpost.com/server.key SSLCertificateChainFile /home/m/config/StartCom/sub.class1.server.ca.pem SSLCACertificateFile /home/m/config/StartCom/ca.pem.crt
MORE NOTES
ALL 4 DOMAINS ARE NOW SYNCED for renewal in AUGUST/SEPT, try to remember dude of course any new domains are going to be out of sync, pita, cest la vie
here, we store common docs:
browser_cert_install_first.p12 the browser cert that lets you log in to https://startssl.com
ca.pem.crt sub.class1.server.ca.pem the official certs for StartCom level 1 you can get these from Control Panel->Tool Box->StartCom CA certificates
GENERATING YOUR OWN KEYS
Note that you can generate your own keys. Generally not worth it tho, I trust StartCom, and you have to give them the key anyway. Plus, all the extra info you add to the key is discarded by StartCom since it's an unvalidated owner (ie free). But for completeness, here's old notes on how to do it... (should it still be des3??)
server.key generated with:
openssl genrsa -des3 -out server.key 2048
CSR generated as follows:
--- m@thedigitalmachine ~/config/StartCom/abettersoftware.com $ openssl req -new -key server.key -out server.csrEnter pass phrase for server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:NC Locality Name (eg, city) []:Raleigh Organization Name (eg, company) [Internet Widgits Pty Ltd]:A better Software Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:Michael Behrns-Miller Email Address []:[email protected]
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: ---
then that gets pasted into StartCom form under the Certificates Wizard on the control panel note from the form:
All content of the certificate signing request is ignored except its public key.