Free Certificates, startssl and Self-signed Certificates

Obtaining a free certificate for a simple website is a handy thing to do. It provides not only enhanced security but good practice for later when you need to get more complicated certificates and embed them in a webserver.

startcom.org  is a free certificate authority in many popular web browsers. You can see the web browsers they support at startcom.org.  They provide free certificates recognized by many web browsers. The certificate wizard at startcom.org will allow you to create a private key but you can generate your own private key and skip this step.

To generate the private certificate key without a password

# openssl genrsa -out hostname.key 2048 -SHA256

# openssl req -new -key hostname.key -out hostname.csr


You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:YourState
Locality Name (eg, city) [Default City]:yourcity
Organization Name (eg, company) [Default Company Ltd]:Your company
Organizational Unit Name (eg, section) []:EngineeringorWhatever
Common Name (eg, your name or your server's hostname) []:www.hostname.com
Email Address []:aname@anemail

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:<-enter
An optional company name []:OptionalName LLC

Then use the resulting csr file on the startsll toolbox and you can generate a certificate. This should then work with the  private key generated above. Then  place the resultant crt and key files into the ssl configuration as shown below.

To create or  renew a free certificate:

Validate your email or your domain name. In this case you must validate a domain name.
click on validations wizard and choose email or domain. Then follow the steps. Eventually you will get the  following message:

You have successfully authenticated mail account "webmaster@hostname.com".
You will be able to use this verification for the next 30 days, after
which it expires and must be renewed.

Now click on certificates wizard  and choose the appropriate option from the drop down.
In this case I chose the “Webserver SSL/TLS certificate” option.  This brings up the following message:

If you created your own private key and certificate request (CSR), please 
skip this step.
 * Provide a password for your private key. (At least 10 characters, max. 32)
 * Allowed are only letters and numbers, without spaces!
 * Write your password down somewhere securely.
 * Note that SHA2 hash algorithm may be not supported on older systems 
  (Windows XP, Windows 2003).
Skip »»          Continue »»

Choose skip since we created our own Certificate Signing Request CSR.

Which brings up the following:

* Copy and paste the content from the certificate request into the 
textbox below.
* Make sure, that you do not alter the content and you did not add any spaces!
* Always include the headers and footers of the CSR.
* The CSR must have a SHA1 hash or better, MD5 hashes are not allowed.
* The RSA key size must be 2048 bit or higher.

click continue

time passes …..

Eventually you get this:

You submitted your certificate signing request successfully!.
 All content of the certificate signing request is ignored except its public key.
 You may proceed to the next step now. 

Continue »»

It will ask you to choose a domain name that you have previously validated. Don’t worry about it only  being the Top Level Domain (TLD). You will be able to add a www. entry later.

click continue and the following will pop up

We have gathered enough information in order to sign your certificate now.
 The common name of this certificate will be set to www.hostname.com.
 The certificate will have the following host names supported:
 hostname.com
 www.hostname.com
 Please click on Continue in order to process the certificate.

The next step will provide the certificate. Copy the certificate into a file

hostname.crt.

In your Apache configuration  file  add the following lines

SSLCertificateFile /etc/httpd/somwhere/hostname.crt 
SSLCertificateKeyFile /etc/httpd/somewhere/hostname.key

I use a directory where i store all the keys and certificates. Then i lock that directory down so only root can access it.

restart your web server

# service httpd restart   # or whatever you use to restart your web server

go to the site at https://www.hostname.com. If you are using Firefox, click on the pad lock icon in the location bar and view the certificate. View details and it should say that the certificate will expire in a year.

To view the certificate at the command line:

openssl x509 -noout -text -in hostname.crt

 


Leave a Reply