Getting a free SSL certificate from StartSSL

StartSSL provides free of charge SSL certificates that are good for one year and require that you verify your email address and control over the domain. This is a big money saverif you want to bring https to your website.

First verify your email account and generate a client certificate for your browser. This is the lowest level of verification but it is sufficient and pretty straight forward. You can use this identity to generate any number of certificates for the next 30 days. After that you’ll need to verify your email again.

Once you have this set up and are logged in to the site you’ll need to verify the domain you want to generate the certificate for. Hit the validations wizard tab and enter the domain name. Only top level domains work, no subdomains. Next you’re presented with a list of email to use for domain verification. Select one that you can access right away. Click continue and await the arrival of the verification email.

Grab the verification code in the email that was sent and enter it in the verification code box on the complete validation page and click on continue. You should see the validation success message. Once a domain is validated you can use the validation for 30 days to generate certificates. Click finish to close the process.

Now we’re ready to generate a certificate. Hit the certificates wizard tab to get started. Select Web Server SSL/TLS Certificate from the dropdown and hit continue. The first step here is to generate the private key for your certificate. Please note that If you created your own private key and certificate request (CSR), you can skip this step. Otherwise enter a key password twice hit continue.

Please note that you need to keep this password somewhere or you won;t be able to decrypt the key you’re about to generate. I highly recommend that use a password tracker like KeePass to generate and store a strong password for this.

StartSSL will present you with a private key. Copy the text being careful not to add any spaces or lines to the text. Use a simple text editor to save the private key as ssl.key. I like to create a folder with the domain name to save this and the other files needed to get SSL going on the web server.

At this point the key is encrypted and you’ll need the password to decrypt it for use with the web server. For me the easiest way to do this is to go to the folder where you saved ssl.key and decrypt the private key with the OpenSSL utility: openssl rsa -in ssl.key -out ssl.key.d. This works well on Linux and OSX. StartSSL also provides a tool for decrypting the key but I’ve had mixed results with it.

Once you’ve decrypted the key hit continue to add a domain and generate the actual certificate. Just select your domain and hit continue. You will be prompted to add the subdomain for the certificate. In most cases that will be www. Hitting continue shows you the information gathered so far and prompts for one more click on continue to generate the certificate.

Finally we get to the SSL certificate! As with the private key you’ll need to copy the text carefully and use a text editor to save the file as ssl.cert. In addition you need to save the intermediate and root CA certificates for the installation at your server using Save As… in your browser.

With everything saved you can hit the finalize button to finish up. Now you have all you need to get SSL up and running on your web server. Coming next are instruction on getting it all working on Apache 2.4.