Free SSL Certificate from StartCom (StartSSL)

I’ve been using a free SSL certificate from Startcom (StartSSL) for over 3 years now, on a number of different personal projects. I initially wanted one simply to say I could install an SSL certificate on a Ubuntu server running NGINX. Once I had a process, every site I’ve built since has been served over HTTPS (AKA HTTP over TLS, or Transport Layer Security).

This post is a guide through my process for managing free SSL certificates for the personal websites I manage. Keep in mind, my website’s are hosted on a Digital Ocean VPS which I have built and manage via the command line. This post is overkill for most people as many web hosts including Dreamhost, WP Engine, and SiteGround have jumped on-board automating the process making it easy for everyone. A full list of shared web hosting that support Let’s Encrypt can be found here.

What is an SSL certificate?

When you browse the internet, you connect to hundreds of computers along the way. Each time, you send data to them, and receive data. When making those exchanges of data with servers over HTTPS vs HTTP, the data is encrypted and very difficult to intercept.

On the flipside, if you are connecting to HTTP sites, there is no security with that conversation.

E-commerce sites should always be HTTPS as they transfer sensitive information like credit card details, and other personal information. The reality is, all our communications with websites should be secure. Let’s Encrypt—a non-profit—over the last few years has spear headed a transition for the entire internet to make the switch to HTTPS. Symantec a leader in digital security has started a push through Encryption Everywhere.

The certificate authority Let’s Encrypt provides free SSL/TLS certificates through a somewhat automated process that the hosts mentioned above have all but built into even their basic shared hosting plans. Perhaps I’ll do a Let’s Encrypt SSL install guide for some common hosting at another time, but for now you can search some of the hosts listed above for a free SSL certificate from Let’s Encrypt.

Google has identified HTTPS as being important and ultimately an SEO ranking signal. MOZ has a few other SEO benefits they published back in 2014. Google has plenty more reasons to be on HTTPS here.

The point is, you should be using a SSL certificate regardless of whether or not you transfer sensitive information like user names, passwords, or credit card information. If your current hosting doesn’t offer a free SSL certificate with all domains you host there, move hosts.

Free SSL certificate from StartCom (StartSSL)

Warning #2, this is not the easiest way to get a free SSL certificate. This is likely one of the more difficult ways depending on your hosting setup.

In fact, this likely doesn’t apply to you for a couple reasons.

1/ This only applies to personal sites, non-commercial use. So if you need it for e-commerce, you need to pay $120 USD for the OV certificate from StartSLL.

2/ SSH and terminal aren’t viewed as “tools” in your day to day. There is no shame in that. You haven’t wasted a bunch of time learning how to manage a Ubuntu server. Do NOT feel bad about that.

Check out the web hosts mentioned above ( SiteGround, Dreamhost, and WP Engine ) though and consider moving your website. A host jumping on the free SSL certificate band wagon early, is likely a host interested in other ways to secure you and your users.

For those up early in the morning or late at night hoping they can somehow see a little green lock in front of their website’s address hosted on a Ubuntu VPS running NGINX or Apache before they stop reading this article, let’s get to work.

I try to do as much as I can on the server in this article to keep this OS agnostic, but here is the setup I am working with:

  • Mac OSX
  • OSX Terminal
  • FileZilla for password-less SFTP w/SSH key
  • Digital Ocean 1GB RAM VPS w/Ubuntu 14.04 x64
  • NGINX (Apache will be very similar)

You basically need SSH access to your server, and know how to maneuver around it completing basic commands. It’s likely a Ubuntu server, but any other distro will work, you just need to translate from NGINX.

Setup StartSSL account

There was a time when this was process needed a guide itself. That time has passed and StartSSL has a very straightforward signup process that requires no special instructions.

https://www.startssl.com/SignUp

I will mention that they are going through some changes and you can only sign-in with a single sign-on password. Almost like 2 factor authentication with your email.

Domain Validation

Now that we are logged into our StartSSL account, our email validation is complete, and we need to validate a domain to get an SSL issued for. We head to Validation > Domain Validation (for SSL certificate).

After entering your domain name, the validation wizard gives us a list of email addresses to get an email sent to in order to obtain a code to validate our ownership of the domain name. I just setup a quick alias in my GoogleApps account for the domain, or Zoho if we went the free route on the project. If you need help here, you are looking for setup an alias for your email account with the domain that you are validating.

With a way to receive the email from one of the email options, we validate with the code we are sent.

Done, domain validated. You can click on the “order SSL certificate” button and leave that browser tab where it is.

Generate Key & CSR on Host

I like to generate the key and CSR on my Digital Ocean host. I can pull a copy down for safe keeping, but then just move the key where it needs to be and remove the password. Keeps is simple.

We are going to SSH into our server. I use a little app call Shuttle to organize my SSH connections, which opens them in OSX terminal. I know, I’m not really a geek. Once we are logged in, we can go straight to our SSL folder, with NGINX that is located at ~/etc/nginx/ssl/.

$ sudo openssl req -newkey rsa:2048 -keyout example.com.key -out example.com.csr

Enter a PEM password on generation above, we will remove the password for production after downloading a backup of the key securely. So download the example.com.csr and example.com.key file for safe keeping and to copy/paste the CSR into StartCom Certificate wizard.

I download with SFTP and a sudo user, but you can SCP as well. Something like:

$ scp -P PORT# [email protected]:/etc/nginx/ssl/example.com.key /path/on/local/machine/

We now have example.com.key, example.com.csr on our local machines. example.com.key is password protected.

Issue free SSL certificate at StartSSL

Once we have the password protected user key & csr for safekeeping, we can also copy the contents of the example.com.csr we just downloaded to our clipboard. Open the file in a text editor and copy the contents, then head back to our StartSSL admin. We should still be on the Order SSL Certificate screen.

On the far right we want to select the DV certificate, and it should be the only one select-able. The wizard asks for the domains we want giving us up to 10. Now, this isn’t a wildcard, but it is quite a few domains to be able to put on a single key for free. Enter each domain on a new line.

Then select Generated by Myself for the CSR and paste in the contents of the CSR file we downloaded and have open in a text editor. You should then get a download package with our newly issued certificates. In the ZIP file are three other ZIP files named Apache Server.zip, IIS Server.zip, Nginx Server.zip, Other Server.zip. Unzip the appropriate server package.

Install SSL certificate

We have to move files so again SFTP or SCP the example.com_bundle.crt up to our server. SCP might be:

$ scp -P PORT# /path/on/local/machine/example.com_bundle.crt [email protected]:/etc/nginx/ssl/example.com_bundle.crt

Back on the server, we can also remove the password from the key:

$ sudo openssl rsa -in ~/etc/nginx/ssl/example.com.key -out ~/etc/nginx/ssl/example.com.key

Now in /etc/nginx/ssl/ we have example.com.key and example.com_bundle.crt

Once we lock these down:

$ sudo chmod 644 /etc/nginx/ssl/example.com_bundle.crt
$ sudo chmod 400 /etc/nginx/ssl/example.com.key

We need to setup our server to use the new SSL keys. Now, the pieces of code above are for an NGINX setup, but the process is near identical for an Apache server. The folder is likely different where you put the SSL keys on the server. Really, the only difference is in the server configuration next.

Configure host

Ultimately the last step in setting our server up to server HTTPS with a SSL certificate is to setup our vhosts or NGINX .conf file. This involves identifying we want to use port 443, where the .key and .crt files are, and some SSL configuration. Here are the relevant portions of my nginx .conf file for our example.com domain:


server {
	listen 80;
	listen [::]:80;
	server_name example.com www.example.com;
	return 301 https://$server_name$request_uri;
}

server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name example.com;

	ssl_certificate /etc/nginx/ssl/example.com_bundle.crt;
	ssl_certificate_key /etc/nginx/ssl/example.com.key;

	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 120m;
	ssl_buffer_size 4k;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

	ssl_prefer_server_ciphers on;
	ssl_ciphers "ECDH+AESGCM ECDH+AES256 ECDH+AES128 DH+3DES !ADH !AECDH !MD5";

	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_trusted_certificate /etc/nginx/ssl/trustchain.crt;
	resolver 8.8.8.8 8.8.4.4 valid=300s;
	resolver_timeout 5s;

	...
}

The top server block re-directs all non-HTTPS traffic from port 80 over to HTTPS with a 301 re-direct, including www traffic.

The second server block then handles HTTPS traffic on port 443 with the HTTP2 enabled. There is a bit of SSL optimization in there you can ignore with the SSL Stapling, but everything else is pretty straight forward.

The inclusion of ssl_certificate & ssl_certificate_key are the parts we are concerned with. We want these to point towards our CRT and KEY files we created and uploaded to the server. Everyone has a different setup for their server, but hopefully you can decipher what you need from what I have here.

Further reading

I can’t stress this enough. The above process really isn’t the ideal setup for a free SSL certificate. I would highly recommend getting a shared hosting account at SiteGround (w/SSH access) and then enabling a Let’s Encrypt SSL for free, for a lot less work. SiteGround is fast as snot, and provides all the other benefits of CPanel. I’m moving a lot of my regular sites there, while still having a Digital Ocean box for playing with and testing on.

With that said, I started doing my SSL certificates long before Let’s Encrypt, and did it more for the Ubuntu experience more than anything. It has come in handy with the StartSSL $119 OV certificate which is installed and managed the same way after a bit more verification.

Hit me up on Twitter with any questions, concerns, or comments but hopefully I have comments setup sooner than later here.