StartSSL offers free Class 1 SSL/TLS certificates for everyone. Their certificates are valid for one year until they have to be renewed (which is also free). Sounds like a fair deal. So lets get one!

In this post I’ll describe how to get your own SSL/TLS certificates from StartSSL. I assume that you already have a valid StartSSL account and that your domain name ownership has already been validated. This article won’t cover how to configure your web server to use the new certificate. If you’re looking for something like that, please refer to your web server documentation.

Create a private key and certificate request

First of all we need to create a private key and a certificate request (CSR). For demonstration I’ll use example.com as a domain name. Keep in mind to replace the domain name with your own.

openssl genrsa -aes256 -out private-encrypted.key 2048

When generating the private key with the command shown above, you’ll be asked to specify a pass phrase. I highly recommend doing so! Also ensure to back up your private key and corresponding pass phrase at a secure location.

Now that we have the private key, we need to create the certificate request. To do this, the private key first needs to be decrypted again.

openssl rsa -in private-encrypted.key -out private-decrypted.key
openssl req -new -key private-decrypted.key -out example.com.csr

During creating the certificate request you will be asked for some input. As far as i know you only have to enter at least the ‘Common Name’, all other fields can be left empty. The certificate request should now have been written to the example.com.csr file.

With the certificate request we are now able to create the SSL/TLS certificate. To do that log in at StartSSL and run the Certificates Wizard. When asked for a certificate target choose Web Server SSL/TLS Certificate and continue. Now you will be offered to create a new private key. Since we already created our own private key you can skip that step. Now you’ll be asked to submit your certificate request. To do that, copy the content of the example.com.csr file via clipboard to into the text box on the StartSSL page.

cat example.com.csr

After beeing asked for your domain name once again, your SSL/TLS certificate should be ready. Copy it from the browser into a file called ssl.crt. Save your certificate to a file called ssl.crt by pasting the content from the browser to the file via clipboard:

vim ssl.crt

If you are using a web server like Nginx, you need to create a unified certificate from your certificate and the CA certificates:

wget http://www.startssl.com/certs/sub.class1.server.ca.pem
cat ssl.crt sub.class1.server.ca.pem > unified.crt
sudo mv unified.crt /etc/ssl/localcerts/example.com.crt
sudo mv private-decrypted.key /etc/ssl/localcerts/example.com.key

Congratulations! Your new SSL/TLS certificate is now located in /etc/ssl/localcerts/ and ready for use.