SSL for free
Setting up free certificates
by Daniel Bachfeld
Owning a web server that has its own SSL certificate from a registered Certificate Authority (so it won't trigger any browser warnings) does have its advantages. However, the price of a certificate issued by Verisign or a similar vendor usually tends to put a quick end to such fanciful ideas. Israeli vendor StartSSL offers free SSL server certificates that are valid for a year.
Since StartSSL's root certificates are already included in all the mainstream browsers, opening a certificate from the vendor doesn't trigger any error messages. This article gives examples of all the steps required to add StartSSL certification, from signing up with StartSSL to integrating the certificate into an Apache web server under Linux.
The only requirement for obtaining a certificate for a domain is that a user must be able to receive emails to an administrative account (postmaster, hostmaster or webmaster). There are no additional checks to verify whether the user actually owns the respective domain (incidentally, this is similar to other CAs such as RapidSSL). Furthermore, an issued certificate is only useful if it can subsequently be installed on a server. Those who own a "business card" type of home page with a web hosting service cannot, therefore, use such a certificate because they don't have access to the server configuration.
The procedure is similar for Apache under Windows and Internet Information Server (IIS) under Windows. With IIS, the required steps need to be executed on the Microsoft Management Console (MMC).
The basic process of obtaining a certificate is always the same. The first thing to do is generate a pair of keys – a public key and a private key. Under Linux and BSD derivatives, this can, for instance, be done via
openssl genrsa -out example.com.key 2048
This example creates two keys with a length of 2048 bits each and saves them in the example.com.key file. Adding -des3 puts a password on the key, a password that will later be required when starting the web server. The command
openssl req -new -key example.com.key -out example.com.csr
Retrieves the public key from the key file and generates a "Certificate Signing Request" (CSR). The CSR usually contains information about the key owner such as their organisation, country, city, email address and the address of the server (Common Name, CN) for which the certificate is to be issued, in our case www.example.com. The CSR also contains the public key. The CSR is then sent to the Certificate Authority, which proceeds to create a certificate. The certificate, in turn, contains the public key, information about the owner and the issuer, and a digital signature of the issuer for all the information and the contained key. This ties the key to an identity. The finished certificate is then stored on the server and is provided to clients on request, at least in theory.