#free ssl certificate
No more self-signed certificates
Typically for a low volume site where verified identity is not import one would use a self-signed certificate for SSL. Unfortunately these triggers security warnings in browsers and require you to recognise/remember checksums to prevent man-in-the-middle attacks when accessing your own servers over HTTPS.
StartSSL offers free domain verified SSL server certificates which work pretty much everywhere. The only real downside is they have a 1 year expiry. This means you need to create a new one every year rather than say a 10 year self-signed certificate which will probably last the life of your server.
These free certificates are also chained which means configuration can be a little tricky as there are a few traps you can fall into. If you don t setup the chain correctly on your server you can run into compatibility issues with clients that may not be immediately obvious. These include either forgetting to setup the chain or creating the links in the wrong order. With either of these errors I myself could still access the site fine.
And that s where this post comes in. I need to setup a couple of new certificates and this time I m making notes on on the steps I m taking, referencing my existing setup as I go. At worst I ll save some time next year when I have to renew these certificates. Hopefully you ll find this useful as well.
Setting it all up
I run Debian stable on my servers. At the time of writing this is Debian Lenny with Apache 2.2.9. Substitute example.com for your domain name where applicable.
Authenticating with StartSSL
Note: As of the time of writing, Chrome has some issues with SSL client certificates which will cause you problems. I recommend using Safari (or Firefox if that s your thing).
If this is your first time using StartSSL. you ll need to create an account. Click on Control Panel and then on Sign-up. Fill out all the details and you ll get an SSL client certificate which you use to authenticate with the website.
The client certificate expires after a year so you ll have to create a new one when it comes time to renew your server certificate. StartSSL will send you an email when both are coming up for renewal. To create a new client certificate, first reverify your email address under Validations Wizard: Email Address Validation and then create a new certificate under Certificates Wizard
Requesting a server certificate
Validations Wizard: Domain Name Validation
Certificates Wizard: Web Server SSL/TLS Certificate
Pick the CSR option when prompted and upload the contents of example.com.csr. You will also be prompted for a hostname underneath your domain. I run a no-www shop so I used my server s hostname ( host.example.com ). If you want to run www.example.com. enter www here.
As of this point the .csr file is no longer required and can be removed. Alternatively you could generate a CSR with a longer expiry and reuse it next year.
And now we wait for certificate to be issued. This usually happens within the half hour. When you receive the certificate signing confirmation email, download the following certificates:
- Toolbox Retrieve Certificate: You will see your newly created certificate. Save it as example.com.crt .
- Toolbox StartCom CA Certificates: Download StartCom Root CA (PEM encoded) (ca.pem )
- Toolbox StartCom CA Certificates: Download Class 1 Intermediate Server CA (sub.class1.server.sha2.ca.pem )
Copy the .crt. key and .pem files to /etc/apache2/ssl on your server.
Run the following commands as root:
Edit /etc/apache2/sites-available/ssl and add the following within the VirtualHost block:
At this point you ll want to configure the rest of Apache for SSL if you haven t already.
Check that your Apache config parses as valid:
And then restart Apache with the new config:
Verifying everything worked
Run the following after restarting Apache to check the certificate chain:
You should see something like:
A depth of 2 and a return value of 0 is good. If the certificate chain is wrong, you ll probably see something like:
Hosting email services over SSL
I have one host setup to send and receive email using Exim 4 for SMTP and Courier for IMAP. To have these services use your new SSL certificate, point them to your existing certificate files:
Outlook and Outlook Express are both fairly broken but fortunately I found some workarounds. You ll want to set the following config option for Exim (in /etc/exim4/conf.d/main/03_exim4-config_tlsoptions if you are using split configuration on Debian):
Outlook does not work properly with the altname in the certificate. You may have to use the servers hostname ( host.example.com ) rather than the domain name ( example.com ).