Obtaining a free certificate for a simple website is a handy thing to do. It provides not only enhanced security but good practice for later when you need to get more complicated certificates and embed them in a webserver.
startcom.org is a free certificate authority in many popular web browsers. You can see the web browsers they support at startcom.org. They provide free certificates recognized by many web browsers. The certificate wizard at startcom.org will allow you to create a private key but you can generate your own private key and skip this step.
To generate the private certificate key without a password
# openssl genrsa -out hostname.key 2048 -SHA256 # openssl req -new -key hostname.key -out hostname.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) :YourState Locality Name (eg, city) [Default City]:yourcity Organization Name (eg, company) [Default Company Ltd]:Your company Organizational Unit Name (eg, section) :EngineeringorWhatever Common Name (eg, your name or your server's hostname) :www.hostname.com Email Address :aname@anemail Please enter the following 'extra' attributes to be sent with your certificate request A challenge password :<-enter An optional company name :OptionalName LLC
Then use the resulting csr file on the startsll toolbox and you can generate a certificate. This should then work with the private key generated above. Then place the resultant crt and key files into the ssl configuration as shown below.
To create or renew a free certificate:
Validate your email or your domain name. In this case you must validate a domain name.
click on validations wizard and choose email or domain. Then follow the steps. Eventually you will get the following message:
You have successfully authenticated mail account "firstname.lastname@example.org". You will be able to use this verification for the next 30 days, after which it expires and must be renewed.
Now click on certificates wizard and choose the appropriate option from the drop down.
In this case I chose the “Webserver SSL/TLS certificate” option. This brings up the following message:
If you created your own private key and certificate request (CSR), please skip this step. * Provide a password for your private key. (At least 10 characters, max. 32) * Allowed are only letters and numbers, without spaces! * Write your password down somewhere securely. * Note that SHA2 hash algorithm may be not supported on older systems (Windows XP, Windows 2003). Skip »» Continue »»
Choose skip since we created our own Certificate Signing Request CSR.
Which brings up the following:
* Copy and paste the content from the certificate request into the textbox below. * Make sure, that you do not alter the content and you did not add any spaces! * Always include the headers and footers of the CSR. * The CSR must have a SHA1 hash or better, MD5 hashes are not allowed. * The RSA key size must be 2048 bit or higher.
time passes …..
Eventually you get this:
You submitted your certificate signing request successfully!. All content of the certificate signing request is ignored except its public key. You may proceed to the next step now. Continue »»
It will ask you to choose a domain name that you have previously validated. Don’t worry about it only being the Top Level Domain (TLD). You will be able to add a www. entry later.
click continue and the following will pop up
We have gathered enough information in order to sign your certificate now. The common name of this certificate will be set to www.hostname.com. The certificate will have the following host names supported: hostname.com www.hostname.com Please click on Continue in order to process the certificate.
The next step will provide the certificate. Copy the certificate into a file
In your Apache configuration file add the following lines
SSLCertificateFile /etc/httpd/somwhere/hostname.crt SSLCertificateKeyFile /etc/httpd/somewhere/hostname.key
I use a directory where i store all the keys and certificates. Then i lock that directory down so only root can access it.
restart your web server
# service httpd restart # or whatever you use to restart your web server
go to the site at https://www.hostname.com. If you are using Firefox, click on the pad lock icon in the location bar and view the certificate. View details and it should say that the certificate will expire in a year.
To view the certificate at the command line:
openssl x509 -noout -text -in hostname.crt