Part 1/2 - Get SSL certificate (free)


I want a totally, 100% free certificate so I’m going to use StartSSL class 1 certificate. Before you go ahead, please check StartSSL / StartCom reviews and their policies (recommended).

Limitations of StartSSL Free: While certificates are free for certain uses, there are limitations imposed unless an upgrade is purchased.

  • One-year certificate validity (new certificate can be issued for free at any time).
  • One domain plus one host name per certificate (e.g. www.yourDomain.com and yourDomain.com, or www.service.yourDomain.com and yourDomain.com).
  • No commercial use
  • Certificate revocation requires a fee

Previous:

Next:

Part 2/2 - Configure SSL on nginx web server


Synopsis: Topics covered are, roughly. A. Signup for StartSSL B. Get domain validated C. Private Key & Certificate Signing Request (CSR) D. Prepare a unified certificate & protect private key

One needs to signup StartSSL & if you haven’t done so for, here is a blog to signup for startSSL. Signup for StartSSL . Signup then come back to this post again to continue.

Once you signup & certificate is installed on your browser, StartSSL will be able to authenticate you.

Validations Wizard:

  1. You should be able see these tabs on screen after signup. Validation Wizard In case you don’t see above tabs then click on ‘Control Panel’ on right corner then on ‘Authenticate’. Control Panel Click on ‘Validations Wizard’. We are going validate our domain so select ‘Domain Name Validation’ from drop down. Validation Wizard

  2. Enter your domain name Enter your domain name

  3. Choose email address you have access to Choose email address

This gets bit tricky. If You have chosen to hide your email id by proxy (as I did) while registering the domain then you will see last option as proxy mail id, else you should see your email id. Select last option and you will get mail forwarded by proxy mail id to your email id.

  1. Domain Verification code Domain Verification code

You should receive an email with verification code as below.

email Verification code

Copy verification code from email and paste it in StartSSL verification code input box. Click on ‘Continue’ button.

  1. Validation Success! validation success

Wow! we have successfully validated our domain. Let’s get private key and certificate for the domain.

Certificates Wizard:

  1. Click on ‘Certificates Wizard’ Certificate Wizard Then select ‘Web Server SSL/TLS Certificate’ from drop down in ‘Certificate Target’ field. Click on ‘Continue’ button.

  2. Generate Private Key Generate Private Key Enter key password and note it down somewhere safe. You are gonna need it later. Keep key size 2048 for better security and performance. Click on ‘Continue’ button.

  3. Save Private Key & Decrypt the key as per instruction. Save Private Key You got private key for your domain. Keep it safe place where only you can access it. Click on ‘Continue’ button.

  4. Select your validated domain from drop down option. Add domain Click on ‘Continue’ button.

  5. Add one subdomain Add subdomain Choose subdomain name you want to add, wisely. You will be able to access your bare domain and one subdomain only through the certificate. I used ‘www’ subdomain, so that user should be able to use my website with or without ‘www’. But you are free to choose any subdomain of your choice. Click on ‘Continue’ button.

  6. Ready for certificate Ready for certificate Click on ‘Continue’ button.

  7. Wait for email confirmation Wait for email

I got email within 15 mins. Email confirming the certificate Email confirms that Certificate has been issued for your bare domain & one subdomain. Let’s go and grab it.

Tool Box:

  1. Click on ‘Tool Box’ then ‘Retrieve Certificate’ Retrieve Certificate

  2. Select Certificate Select Certificate Certificate is available to retrieve named on subdomain. Select & click on ‘Continue’ button.

  3. Copy Certificate and save it with name ssl.crt Copy Certificate

  4. Get StartCom CA Certificates StartCom CA Certificates Get root and intermediate certificates. You need both certificates along with your subdomain certificate, to create a unified certificate. Alternatively use below commands to get root and intermediate certificates. wget http://www.startssl.com/certs/ca.pem wget http://www.startssl.com/certs/sub.class1.server.ca.pem

  5. Create a unified certificate from your certificate and the CA certificates cat ssl.crt sub.class1.server.ca.pem ca.pem > ssl-unified.crt ssl-unified.crt will be certificate for your domain & a subdomain.

  6. Protect your key from prying eyes chmod 600 ssl.key

We have ssl.key (Private Key) & ssl-unified.crt (Certificate). Let’s configure web server (nginx) to use these two and configure for https along with some other security stuff in 2nd and last part of the series. Part 2/2 - Configure SSL on nginx web server

Ashish Pandey

Bengaluru, India blog.ashishapy.com