StartSSL offers free 1 yr SSL certs with 256-bit encryption capable for web/email/other servers. These are convenient (free!) useful and FREE! (and they work in all current browsers I use save Opera).

StartSSL offers SSL Certificates for free, 1 yr limited and not 100% functional in Opera (their CA cert is missing in Opera). I setup certs on my services (web/imap/smtp) and have (aside from Opera) been very happy with their performance.

Here’s a quick tutorial for:

* setting up a CSR (Certificate Signing Request)
* submitting the CSR
* installing the intermediate CA certs

This assumes you already have ssl enabled web/mail services, that you have openssl accessible on a system under your control and that you actually want a decent SSL certificate installed.

Start out by going to the StartSSL website, register to be a user, download and install the client-certificate they created for you. Now, we can start making our certificates:

Create an RSA encoded PEM key

%openssl genrsa -des3 -out my-domain.net.key 1024
Generating RSA private key, 1024 bit long modulus
............++++++
...++++++
e is 65537 (0x10001)
Enter pass phrase for my-fictitious-domain.com.key:
Verifying - Enter pass phrase for my.fictitious-domain.com.key:

Generate the CSR:


%openssl req -new -key my-domain.key -out blah.my-domain.csr
... answer questions…

Copy/Paste the CSR into the provided text box on StartSSL, follow the prompts, validate your email address and then download your Certificate file. Install the Certificate file someplace you’ll find it later (/usr/local/ssl/certs, /etc/ssl/certs, /usr/local/apache/certs/). Download the CA certs from StartSSL be sure to download these at least:


Class 1 Intermediate Server CA

Save this where you saved the certificate for your host.

Add the following lines to your Apache SSL config:


SSLCertificateFile /location/to/your/cert/file.pem
SSLCertificateKeyFile /location/to/your/keyfile.key
SSLCertificateChainFile /location/to/startcom.class1.server.ca.crt

NOTE WELL: the use of an encrypted key file is ‘recommended’ so that if someone unsavory gets ahold of your cert file and key file they can’t become your webserver. This does, however, mean that the service will not auto-start since apache will require you to type the passphrase into a dialog to decrypt the key. This can be avoided, at the expense of some security with:


openssl rsa -in your-domain.key -out your.domain.decr.key

and making the line referencing the key in the apache config:


SSLCertificateKeyFile /location/to/your/keyfile/your.domain.decr.key

Now, restart your web service and rejoice.