Creating SSL certificates with StartSSL

For several years, I’ve been using StartSSL already to create my personal website’s SSL certificate. Just recently, the Israel-based CA has revamped their website not only with a more modern and fresher look, but also improved usability by implementing new wizards. In this little howto I’ll show you how to create your own web server SSL certificate in just a couple of minutes.

The steps involved are actually not that complicated, especially since the StartSSL website finally has a shiny new look. ;-)

Class of 1, 2, 3

I assume you have already signed up and validated your identity. If not, the process is quite straightforward – fill in your personal data on their website, confirm your e-mail address by following the instructions sent to you and get validated as Class 1 for free. Depending on your actual needs, e.g. showing your organizational details or be able to use wildcard certificates, you might want to upgrade to Class 2 validation or higher which comes with a little fee attached, but the basic functionality shown in this howto is pretty much the same. That being said, StartSSL doesn’t charge per certificate for most validation classes, but for the annual validation – the fee stays the same independent of how many domain names you issue certificates for.

Validate your domain

With your e-mail address validated, it’s now time to add domains to your account portfolio to begin creating SSL certificates for them.

1. Go to the StartSSL website and click Login in the upper right part of the screen.
2. Depending on your browser’s configuration, you will be asked which client certificate to use for authentication. Should you have multiple certificates installed, e.g. one for your personal use and one for your organization, double-check you login with the proper one to not mix up accounts.

   

3. Click Validations Wizard.
4. Choose Domain Validation and click Continue.
5. Enter your domain name, without www or any other subdomain parts, and click Continue.
6. Choose amongst one of the available e-mail addresses for validation, and ensure e-mails to this address are only delivered to your inbox. If in doubt, update your WHOIS record or ask your provider to do so. StartSSL offers some well-known addresses like webmaster@, and lists the WHOIS records’ e-mail address as well. When you have chosen, click Send verification code.
7. Check your inbox for an e-mail from StartSSL, which should arrive within a few seconds. If it doesn’t please double-check your spam folder. If that doesn’t help either, wait 30 minutes and try again – chances are your mail server makes use of a mechanism called Greylisting and delays incoming e-mails for antispam purposes.

   

8. Enter the code in the web interface and click Validate. If this isn’t successful please double-check, as copy & paste sometimes adds unwanted white spaces after the text.

Create your certificate

1. Click To “Order SSL certificate”.

   

2. The next page shows all validated domain names available for certificates.
   1. StartSSL allows to add multiple domain names per certificate, e.g. variants with and without hypens, or different domain endings (TLDs).
   2. You can add any of your validated domains or any of its subdomains like www or mail to the list.
   3. The first line becomes the so called Common Name, which is sometimes prominently shown in client software, and acts as fallback name for old or broken clients.
   4. The sample below uses my personal domain name effenberger.org as Common Name and has a wildcard *.effenberger.org covering all subdomains to the first level (e.g. www.effenberger.org, but not test.www.effenberger.org). Wildcard certificates are reserved for Class 2 validations and higher and when you use them, remember they only cover subdomains, so – as in the sample above- add the domain name as well to the list of names.
3. To create a certificate, you need a so called Certificate Signing Request and I recommend choosing the Generated by yourself variant. Here’s how I created it:

   1. openssl req -sha512 -new -newkey rsa:4096 -keyout site.pem -out site.csr -passout pass:YourPassword -subj "/C=YourCountry/ST=YourState/L=YourTown/O=YourName/CN=*.your.domain/emailAddress=your.email@your.domain"

   2. openssl rsa -passin pass:YourPassword -in site.pem -out site.key

   3. You end up with several files:
      1. site.csr is your Certificate Signing Request
      2. site.key is your unencrypted private key
      3. site.pem is your encrypted private key
   4. Paste the content of the site.csr file into the respective form on the StartSSL website and click on Submit. Keep the other files private and don’t share them with anyone!
4. If your request has been successful, you’ll soon be presented with a confirmation message and a download link to a ZIP file, containing your certificate and StartSSL’s intermediate and root certificate.

   

5. Congratulations! You have just had your certificate signed by StartSSL! The next steps depend on your server software:
   1. Usually, you want to copy your unencrypted private key, your certificate and the intermediate certificate to your server,
   2. create a certificate chain (certificate and intermediate in one file, in this particular order)
   3. and configure your software accordingly.
   4. You might also want to add Diffie-Hellman parameters, make use of OCSP Stapling, HSTS and HPKP, but more on that in a later blogpost. ;-)

Further notes

1. Depending on your validation class, your certificate expires within 6 months to two years. Make yourself a note about the expiration date, which e.g. is shown in any browser you use to access your SSL-protected site, and renew in time.
2. As a final step, in order to test if your server has been successfully set up and the certificate chain is in order, you can run a SSL Server Test.