When I was visiting a friend’s web blog some days ago I realised he was using a valid ssl certificate. My first thought was: How did he get the cert, I want one for my site!

With that in mind I searched the web to get some more information about certificates for free. The solution is you can get class 1 ssl certs validated for one year for private use. It allows you to secure the root domain and one subdomain of your choice. I want to show you how easy it is to get one of these from StartSSL and how you set up apache to secure the communication with your site.

1. Creating the Certificate

First of all you need to generate the private and public key of your server:

openssl genrsa -out example.com.key 2048

Now you need to read that private key to generate certificate signing request (CSR). You will be asked for some additional info like organisation name and so on, but you can leave them default, because StartSSL will ignore them.

openssl req -new -key example.com.key -out example.com.csr

Now go to the “Express Lane” of www.startssl.com/?app=12 or log in if you already have an account. Fill out all fields truthful. You will receive an email with a verification code to verify your identity. After that you won’t get a password to log in, you will have to install an certificate in your browser to continue (remember to backup this for later use in another browser). In the next step you will be asked to enter the domain you want to create the certificate for (without leading www). Then you have to choose one of the given email addresses found for this domain to verify the ownership. After that you will be asked to enter a password, skip that step and paste the csr created before:

cat example.com.csr

Now you have to choose one subdomain you want to include in the certificate. It doesn’t have to be www mandatory. Once the cert is generated copy it from the browser including the marks

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

and paste it into example.com.crt.

2. Configure Apache

Copy the crt and key-file to the path where you store your certificates. The defaults of debian are:

example.com.crt to /etc/ssl/certs/

example.com.key to /etc/ssl/private/

For maximum compatibility you can download the intermediate certificate sub.class1.server.ca.pem from www.startssl.com/certs/ and put the sub.class1.server.ca.pem to /etc/ssl/certs/.

Now go to the ssl-vhost entry in your apache config and add the following lines:

SSLEngine On
SSLCertificateFile /etc/ssl/certs/example.com.crt
SSLCertificateKeyFile /etc/ssl/private/example.com.key
SSLCertificateChainFile /etc/ssl/certs/sub.class1.server.ca.pem

Once you have reloaded the apache config with

/etc/init.d/apache2 reload

you should be able to load the webpage with https://