wiki:StartSSLcertificate

StartSSL certificate

StartCom issues free Class 1 SSL certificates under the name StartSSL. StartCom is a relatively new player in the field, but they are already accepted by most client software.

Get a web server certificate

  1. Sign up at https://www.startssl.com/ (use accurate address data, otherwise your registration will be rejected). If your mail server is using grey-listing you might need to start the registration process twice.
  2. Wait for StartSSL staff to approve your registration (never took longer than 1h for me, but plan more time just in case).
  3. Create backup of client certificate for StartSSL admin panel authentication. Really do it, because if you lose it you won't be able to enter your account any more. There is no "recover account" option, so you will need to create a new account. Don't forget to note down the password that you use for exporting the client certificate, you will need it when importing it again.
  4. Validate your domain using the Validations Wizard. Make sure your mail server is properly configured. If your mail server is using grey-listing you might need to start the validation process twice.
  5. Go to Certificates Wizard and select "Web Server SSL/TLS Certificate".
  6. Generate private key and make sure to save the private key before continuing the wizard. You won't be able to retrieve it again later. Also make sure to remember the password for decrypting the private key of course.
  7. Wait for StartSSL staff to approve your certificate (again, this never took longer than 1h for me, but plan more time just in case).
  8. Go to Decrypt private key in the Toolbox, decrypt using the key's password and save the decrypted private key as <yourdomain>.key (keep this key private).
  9. Go to Retrieve Certificate in the Toolbox and save the certificate as <yourdomain>.crt (keep private).

Install a web server certificate

  1. Download StartSSL's Class 1 Intermediate Server CA (sub.class1.server.ca.pem) and place it in the SSL configuration folder of your server.
  2. Place <yourdomain>.key and <yourdomain>.crt in the SSL configuration folder of your server.
  3. Edit your Apache config and point SSLCertificateKeyFile (key), SSLCertificateFile (crt) and SSLCertificateChainFile (ca.pem) to these files.
  4. Restart Apache.
  5. Go to https://<yourdomain> and see if the correct SSL certificate is used.

Checklist

Things you should have collected by now:

  1. Backup of StartSSL client certificate (.p12 file)
  2. Password for .p12 file
  3. Encrypted server private key
  4. Password for encrypted private key
  5. Decrypted private key (.key file)
  6. Certificate issued by StartSSL (.crt file)
  7. Intermediate server CA file (sub.class1.server.ca.pem) - available for download on the internet, so don't worry if you lose this
Last modified 6 years ago Last modified on Jul 24, 2011 2:55:27 PM