Apply a Free SSL Certificate and Make it Work

I Just found that my SSL certificate for this domain expires soon, so I applied a new one from StartSSL today. Currently, StartSSL is the only website offering free SSL certificates which are trusted by most web browsers. It’s not a good idea to sign a self-signed certificate because web browsers will tell your visitors the website they try to visit is dangerous (like the following graph), which is extremely unfriendly.
Capture

The first step is going to https://www.startssl.com/ and sign up a free account. This website use certificate to log you in instead of username and password. After you successfully signing up, it will generate a certificate and install to your web browser. DO REMEMBER TO EXPORT IT from your web browser and store it into somewhere you think is safe. I lost my old certificate from StartSSL last year, so I can only sign up a new account today while using a different email.

Simply verify your email address and your ownership of your domain. Then apply for your Web Server SSL/TLS Certificate.

Capture
After you click “Continue”, it asks you if you would like to generate a private key. DO NOT LET IT GENERATE PRIVATE KEY FOR YOU! I don’t know why sometimes it doesn’t work (certificate do not match private key) while most time it does. But if you are unlucky that your case doesn’t work, you can’t apply for Free SSL certificate for the same domain in this 1 year. So we just click SKIP button. Then it means we should generate CSR file ourselves.

Go to your server, install openssl and generate a CSR file after you generate a private key.

Paste the content in your server.csr to the website and then choose a subdomain you would like to include in your certificate (e.g. www) while the root domain is already included. Then create a server.crt file in your server and paste the certificate you get in StartSSL to that file.

Now your certificate is accepted by most browser, but sometimes firefox still give a certificate error. We should do an extra step to avoid this. The following shell script shows this extra step: merge our server certificate with the StartSSL root certificate.

 

So far, we get the certificate and our private key. Then we just need to configure our web server to enable SSL.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">