Using StartCom (StartSSL) to Generate valid SSL Certificates

From Wiki
Jump to: navigation, search

StartCom operate a free of charge service which will allow anyone to generate SSL certificates which will validate in web browsers without the need to import a root CA. This is good.

Create a CA

If needed, create a new CA. You only need to do this once! If you have a CA, SKIP TO THE NEXT SECTION

# mkdir /CA
# cd /CA
# mkdir newcerts private
# echo '01' >serial
# touch index.txt
# chmod 700 /CA

Create a configuration file for OpenSSL. The hash must be SHA1 with a size of 2048 or better for StartCom:

# vi openssl.cnf
# OpenSSL configuration file.

# Establish working directory. 
dir = . 

[ req ]
default_bits            = 4096                  # Size of keys
default_keyfile         = key.pem               # name of generated keys
default_md              = sha1                  # message digest algorithm
string_mask             = nombstr               # permitted characters
distinguished_name      = req_distinguished_name

[ req_distinguished_name ]
# Variable name           Prompt string
#----------------------   ----------------------------------
0.organizationName      = Organization Name (company)
organizationalUnitName  = Organizational Unit Name (department, division)
emailAddress            = Email Address
emailAddress_max        = 40
localityName            = Locality Name (city, district)
stateOrProvinceName     = State or Province Name (full name)
countryName             = Country Name (2 letter code)
countryName_min         = 2
countryName_max         = 2
commonName              = Common Name (hostname, IP, or your name)
commonName_max          = 64



# Default values for the above, for consistency and less typing.
# Variable name                   Value
#------------------------------   ------------------------------
0.organizationName_default      = Toastputer
localityName_default            = Stafford
stateOrProvinceName_default     = Staffordshire
countryName_default             = UK
emailAddress_default		= invalid.stocksy@toastputer.invalid.net

[ v3_ca ]
basicConstraints        = CA:TRUE
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always,issuer:always

[ v3_req ] 
basicConstraints        = CA:FALSE
subjectKeyIdentifier    = hash
distinguished_name      = req_distinguished_name 
req_extensions          = v3_req

[ ca ]
default_ca              = CA_default

[ CA_default ]
serial                  = $dir/serial
database                = $dir/index.txt
new_certs_dir           = $dir/newcerts
certificate             = $dir/cacert.pem
private_key             = $dir/private/cakey.pem
default_days            = 365
default_md              = sha1 
preserve                = no
email_in_dn             = no
nameopt                 = default_ca
certopt                 = default_ca
policy                  = policy_match

[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

Create the CA certificate - 7300 days is 20 years, should be ample. Do not forget the password that it prompts you for. Use a strong password as the security of all your certs depends on it! If you lose this password, you will not be able to sign any certificates for this CA.

# openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 7300 -config ./openssl.cnf

Make some directories to prevent us getting snowblind from all the similar filenames that will be created:

# mkdir csr keys

Generate a CSR and Private Key

If you already have a CSR from last year, SKIP TO THE NEXT SECTION

Generate a certificate signing request (CSR), this is the request we will submit to StartCom. When prompted, make sure that you set the CN (common name) to the FQDN (eg mx.toastputer.net) for the server you are installing the certificate on:

# openssl req -new -nodes -out csr/mx.toastputer.net-startssl-req-`date +%FT%T`.pem -keyout keys/mx.toastputer.net-startssl-key-`date +%FT%T`.pem -config ./openssl.cnf
Generating a 4096 bit RSA private key
.................................++
......................................................................................................++
writing new private key to 'keys/mx.toastputer.net-startssl-key-2011-01-19T22:08:03.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Organization Name (company) [Toastputer]:
Organizational Unit Name (department, division) []:
Email Address [stocksy@toastputer.net]:
Locality Name (city, district) [Stafford]:
State or Province Name (full name) [Staffordshire]:
Country Name (2 letter code) [UK]:
Common Name (hostname, IP, or your name) []:mx.toastputer.net

For the love of all that is good and pure DO NOT BE TEMPTED TO OMIT THE TIMESTAMP. The timestamp in the filename may look clumsy, but it will stop you accidentally overwriting another certificate or another certificate's private key. I've done this before and it left me looking mighty stupid.

Generate the Certificate

Log in to the StartCom StartSSL web site and use the certificate wizard to request a new Web server SSL/TLS certificate. If you haven't validated your domain within the last 30 days, you'll need to re-validate, but it's not much work. Skip the part where it wants to generate a private key - we already did this when we generated our CSR.

Startssl-step-1.png

Paste in the CSR (csr/mx.toastputer.net-startssl-req-2011-01-19T22:08:03.pem) when requested.

Startssl-step-2.png

Choose the domain you previously validated

Startssl-step-3.png

Tell it the common name (hostname) you specified earlier. This must be your server's FQDN. Do not make an error.

Startssl-step-4.png

This screen confirms the hostnames for which your certificate will be valid. Last chance.

Startssl-step-6.png

Here's your certificate:

Startssl-step-7.png

Save it to certs/mx.toastputer.net-startssl-cert-2011.pem or similar. Do make sure you also grab the chain certificates, as it says. You could just do this with wget:

# mkdir startssl ; cd startssl
# wget --no-check-certificate https://www.startssl.com/certs/sub.class1.server.ca.pem
# wget --no-check-certificate https://www.startssl.com/certs/ca.pem

Most software, like Apache, will have support for certificate and CA chain files like so,

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/mx.toastputer.net/mx.toastputer.net-startssl-cert-2011.pem
SSLCertificateKeyFile /etc/apache2/ssl/mx.toastputer.net/mx.toastputer.net-startssl-key-2011.pem
SSLCertificateChainFile /etc/apache2/ssl/startssl/sub.class1.server.ca.pem
SSLCACertificateFile /etc/apache2/ssl/startssl/ca.pem

however, some do not. This is sometimes solved worked around by simply concatenating the certificates in the following order:

# cd /CA
# cat certs/mx.toastputer.net-startssl-cert-2011.pem startssl/ca.pem startssl/sub.class1.server.ca.pem > certs/mx.toastputer.net-startssl-cert-chain-2011.pem

/CA/certs/mx.toastputer.net-startssl-cert-chain-2011.pem and /CA/keys/mx.toastputer.net-startssl-key.pem can now be used with most SSL/TLS ready applications. Retain the key and CSR in the ca, they can be used to request another certificate next year.

Renewing

Locate the relevant CSR from the /CA/csr directory. If you still have the key in /CA/keys this CSR can be used to request a new certificate. The timestamps will help to find the right request and key. If you're not sure, do not reuse the CSR, this will result in obtaining a certificate for which you have not private key, which will therefore be unusable. The useless certificate will then have to be revoked by StartCom before you will be allowed to generate another one; they will charge $25 USD for this.