creating_valid_startssl_certificates

This is an old revision of the document!

Creating Validated StartSSL Certificates

this is just a bunch of steps i can't seem to remember each time i need a new certificate.. so i write it down in here :)

first of all you need to create a user account at startssl.com and download and install the mime certificate from them that will authenticate you against their service.

now you need to run the validations vizard and validate your ownership of the domain you need a certificate for

SSL Certificate

to create an ssl certificate you need to first create a Certificate Signing Request on your server (it's running ubuntu in my case)

  1. create a key 
    openssl genrsa -out server.key 2048

    this creates a key without a password which you most likely want to use if you need it for a webserver or such. it also means, that if your key is stolen anybody can run another service with the same key, so it is less secure..

  2. create the CSR 
    openssl req -new -key server.key -out server.csr

now go to the startssl.com webpage and enter the certificates wizard. chose web server ssl / tls certificate and continue

on the next screen choose skip

now on your server get the csr file contents 

cat server.csr

copy and paste this into the textarea on the startssl page and follow the wizard

when you receive the pem encoded certificate copy and paste it back to your server. in the terminal window wher you have your server shell enter 

cat > server.crt

then paste the certificate and hit return and then ctrl+D

now download the Certificate Chain File to your server

last but not least you need to make sure your apache ssl config is pointing to those files. make sure you have these lines in your virtual host configuration to enable and configure ssl for your site. of course you need to make sure the paths match your setup :) 

        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
        SSLCertificateFile    /etc/ssl/certs/server.crt
        SSLCertificateKeyFile /etc/ssl/certs/server.key
        SSLCertificateChainFile /etc/ssl/certs/sub.class1.server.ca.pem

now reload apache

sec_error_ocsp_unknown_cert

shortly after updating (orp probalby also creating) a certificate with startssl firefox might not allow you to access the site, returning an error sec_error_ocsp_unknown_cert. this is because apparently startssl's ocsp server needs to reload its cached entries first in order for the new certificates to be usable through firefox. so just allow it some time to catch up and it should all work.

  • creating_valid_startssl_certificates.1437894269.txt.gz
  • Last modified: 26.07.2015 09:04
  • by Pascal Suter