In order for you to not scare away your users with dire browser warnings, any secure certificate served by your web site must be signed by an authority that ships with the browser. While it is possible to install new authorities, it is not something that 99% of people would ever do. That means you're stuck paying a yearly fee to someone for keeping your site secure.
Unless you use StartSSL.
Yes! StartSSL provides FREE server certificates with 1-year terms and is a trusted authority in all common browsers. The catch is that it can be a little tricky to request and use them.
There are three steps to the process. First, you need a certificate installed in your browser that StartSSL can use to verify that you are who you claim to be. Go to https://www.startssl.com and click on the button in the upper right that looks like an ID card and some keys.
|Click on the Keys to Begin|
|Fill out this form with your contact information.|
The second step in this process is to use the Validations Wizard to validate your domain. Click on the Validations Wizard tab and then select "Domain Name Validation" from the drop-down box.
|You want Domain Name Validation|
|Enter your domain name. No www nothing, just the domain.|
Now go to the Certificates Wizard tab and select "Web Server SSL/TLS Certificate" from the drop-down list.
The next step will be to create the private key. This is the the one you want to keep to yourself! Enter a password for it and continue to the next step. It will show you the key in a text area. Copy and paste it into a file called ssl.key and click Continue.
The next screen has you select the domain for which you are generating this certificate. A drop-down box will show you the list of all the domains that you have verified (that was the second part of this 3-part process). After that, you have to supply a single subdomain. The certificate will be good for both. Most people use "www" for this. After one final confirmation screen, they are ready to generate your certificate.
If everything went well, you should be given another text area with your certificate in it. Copy and save it to a file named ssl.cert or something with the domain name in it so you remember which one it is for.
Now you should have a private key and a certificate signed by a legitimate authority. You're all set, right? Well, almost. I know I said there are only three steps but there is maybe kinda one more. You see, the certificate is actually signed by a StartCom intermediate authority, not the ultimate root. Some platforms, such as Android devices, don't trust the intermediate already and will reject the certificate when served from your website. The solution is to make a complete key chain using the certificate from the intermediate signer combined with your server's certificate.
First, go to the Toolbox tab and then click on "StartCom CA Certificates" on the left side. The certificates for the intermediate servers will then be available for download.
My certificate, since it is one of the free ones, is signed by the Class 1 Intermediate Server. Download that certificate and then concatenate it together with your ssl.cert file.
cat ssl.cert sub.class1.server.sha2.ca.pem > combined.cert
Now use the file combined.cert instead of ssl.cert for the server certificate in your web serving application of choice (Apache, Node, Nginx, etc) and even Androids will be happy.
I've done this a couple of times now for a few different domains and it works great. It is a maybe a little involved but it is free. In this case you get even more than what you pay for! Now have a look at today's comic - view it using transport layer security if you want!
|Amphibian.com comic for 12 June 2015|