Using StartCom (StartSSL) to Generate valid SSL Certificates
StartCom operate a free of charge service which will allow anyone to generate SSL certificates which will validate in web browsers without the need to import a root CA. This is good.
Create a CA
If needed, create a new CA. You only need to do this once! If you have a CA, SKIP TO THE NEXT SECTION
# mkdir /CA # cd /CA # mkdir newcerts private # echo '01' >serial # touch index.txt # chmod 700 /CA
Create a configuration file for OpenSSL. The hash must be SHA1 with a size of 2048 or better for StartCom:
# vi openssl.cnf
# OpenSSL configuration file. # Establish working directory. dir = . [ req ] default_bits = 4096 # Size of keys default_keyfile = key.pem # name of generated keys default_md = sha1 # message digest algorithm string_mask = nombstr # permitted characters distinguished_name = req_distinguished_name [ req_distinguished_name ] # Variable name Prompt string #---------------------- ---------------------------------- 0.organizationName = Organization Name (company) organizationalUnitName = Organizational Unit Name (department, division) emailAddress = Email Address emailAddress_max = 40 localityName = Locality Name (city, district) stateOrProvinceName = State or Province Name (full name) countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 commonName = Common Name (hostname, IP, or your name) commonName_max = 64 # Default values for the above, for consistency and less typing. # Variable name Value #------------------------------ ------------------------------ 0.organizationName_default = Toastputer localityName_default = Stafford stateOrProvinceName_default = Staffordshire countryName_default = UK emailAddress_default = firstname.lastname@example.org [ v3_ca ] basicConstraints = CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always [ v3_req ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash distinguished_name = req_distinguished_name req_extensions = v3_req [ ca ] default_ca = CA_default [ CA_default ] serial = $dir/serial database = $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/cacert.pem private_key = $dir/private/cakey.pem default_days = 365 default_md = sha1 preserve = no email_in_dn = no nameopt = default_ca certopt = default_ca policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional
Create the CA certificate - 7300 days is 20 years, should be ample. Do not forget the password that it prompts you for. Use a strong password as the security of all your certs depends on it! If you lose this password, you will not be able to sign any certificates for this CA.
# openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 7300 -config ./openssl.cnf
Make some directories to prevent us getting snowblind from all the similar filenames that will be created:
# mkdir csr keys
Generate a CSR and Private Key
If you already have a CSR from last year, SKIP TO THE NEXT SECTION
Generate a certificate signing request (CSR), this is the request we will submit to StartCom. When prompted, make sure that you set the CN (common name) to the FQDN (eg mx.toastputer.net) for the server you are installing the certificate on:
# openssl req -new -nodes -out csr/mx.toastputer.net-startssl-req-`date +%FT%T`.pem -keyout keys/mx.toastputer.net-startssl-key-`date +%FT%T`.pem -config ./openssl.cnf
Generating a 4096 bit RSA private key .................................++ ......................................................................................................++ writing new private key to 'keys/mx.toastputer.net-startssl-key-2011-01-19T22:08:03.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Organization Name (company) [Toastputer]: Organizational Unit Name (department, division) : Email Address [email@example.com]: Locality Name (city, district) [Stafford]: State or Province Name (full name) [Staffordshire]: Country Name (2 letter code) [UK]: Common Name (hostname, IP, or your name) :mx.toastputer.net
For the love of all that is good and pure DO NOT BE TEMPTED TO OMIT THE TIMESTAMP. The timestamp in the filename may look clumsy, but it will stop you accidentally overwriting another certificate or another certificate's private key. I've done this before and it left me looking mighty stupid.
Generate the Certificate
Log in to the StartCom StartSSL web site and use the certificate wizard to request a new Web server SSL/TLS certificate. If you haven't validated your domain within the last 30 days, you'll need to re-validate, but it's not much work. Skip the part where it wants to generate a private key - we already did this when we generated our CSR.
Paste in the CSR (
csr/mx.toastputer.net-startssl-req-2011-01-19T22:08:03.pem) when requested.
Choose the domain you previously validated
Tell it the common name (hostname) you specified earlier. This must be your server's FQDN. Do not make an error.
This screen confirms the hostnames for which your certificate will be valid. Last chance.
Here's your certificate:
Save it to
certs/mx.toastputer.net-startssl-cert-2011.pem or similar. Do make sure you also grab the chain certificates, as it says. You could just do this with wget:
# mkdir startssl ; cd startssl # wget --no-check-certificate https://www.startssl.com/certs/sub.class1.server.ca.pem # wget --no-check-certificate https://www.startssl.com/certs/ca.pem
Most software, like Apache, will have support for certificate and CA chain files like so,
SSLEngine On SSLCertificateFile /etc/apache2/ssl/mx.toastputer.net/mx.toastputer.net-startssl-cert-2011.pem SSLCertificateKeyFile /etc/apache2/ssl/mx.toastputer.net/mx.toastputer.net-startssl-key-2011.pem SSLCertificateChainFile /etc/apache2/ssl/startssl/sub.class1.server.ca.pem SSLCACertificateFile /etc/apache2/ssl/startssl/ca.pem
however, some do not. This is sometimes solved worked around by simply concatenating the certificates in the following order:
# cd /CA # cat certs/mx.toastputer.net-startssl-cert-2011.pem startssl/ca.pem startssl/sub.class1.server.ca.pem > certs/mx.toastputer.net-startssl-cert-chain-2011.pem
/CA/keys/mx.toastputer.net-startssl-key.pem can now be used with most SSL/TLS ready applications. Retain the key and CSR in the ca, they can be used to request another certificate next year.
Locate the relevant CSR from the
/CA/csr directory. If you still have the key in
/CA/keys this CSR can be used to request a new certificate. The timestamps will help to find the right request and key. If you're not sure, do not reuse the CSR, this will result in obtaining a certificate for which you have not private key, which will therefore be unusable. The useless certificate will then have to be revoked by StartCom before you will be allowed to generate another one; they will charge $25 USD for this.