UPDATE: Since most modern browsers yanked their trust for StartSSL certificates due to some funny business from StartCom, I no longer recommend StartSSL certs. I’ve switched all my certs over to LetsEncrypt (using the excellent Dehydrated script for easy setup and renewal). The article below remains here for historical purposes only.
There are a number of good reasons why you might want your own valid SSL certificate. Back in the day, self-signed certificates were popular because of the complexity and expense of SSL certificates signed by a Signing Authority. But today, there are a number of providers of free SSL certificates, so there are few excuses to keep using a self-signed one. This article will walk you through generating a valid, signed, and free SSL certificate for a single hostname. The signed SSL certificate can then be used to handle HTTPS on your web server, enable TLS on your mail server, or to replace a self-signed certificate in the GUI for third-party tools such as UBNT’s UniFi Controller.
Step 1: Sign up and Get Verified with StartSSL
There are a handful of free SSL certificate issuers out there (such as CAcert), but I’ve been a happy user of StartSSL – the self-proclaimed “Swiss Army Knife of Digital Certificates & PKI.” While their interface may not be as quite as slick as paid SSL providers (though it did get a recent upgrade), what StartSSL lacks in design they make up for in value. By the way, I am not being compensated in any way by StartSSL to write this article. I just really like their products, and have no reservations recommending them.
The first step is to sign up at StartSSL and verify your personal identity via email, and also verify that you have admin authority for your domain(s). I won’t go through all the verification steps here. Just follow the instructions on their website to get verified, and get to the Control Panel.
Eventually, you’ll reach the Certificates Wizard. Select a Web Server SSL/TLS Certificate. Put in the full hostname (hostname.example.com) for your server, then select the Generated by Myself option for the Certificate Signing Request. A text box for your CSR will appear.
Step 2: Generate Your Private Key and Certificate Signing Request (CSR)
Before you can submit your certificate request, you have to generate it, along with a private key, on the server where you plan to use it. I use an “SSL working directory” where I generate keys and CSRs, then I can move them to their various locations in a later step. On your server, create and jump into the directory where you’ll generate the necessary files with:
mkdir -p /etc/ssl cd /etc/ssl
Of course, you can choose any directory to temporarily store your SSL working files, and you may already have one. I use /etc/ssl because it’s easy to remember.
Once inside your /etc/ssl directory, do the following to generate a private key and the certificate signing request:
openssl req -newkey rsa:2048 -keyout hostname.example.com.key -out hostname.example.com.csr
You can use any filename you want for the .key and .csr files, but I like to include the hostname and full domain name of the server, so I can easily identify them later.
Answer all the questions that appear (you don’t have to answer ones marked “optional”). When it requests the Common Name, be sure to use the full hostname and domain name of the server where you plan to use the SSL certificate. If you make a typo anywhere along the way, you can CTRL+C out of it, or just run the command again to write a new key and CSR over the existing ones.
Once the command is finished, do an ls to see the key and CSR files you just created.
Your private key must be kept, well, private. So get into the habit of setting proper permissions for private keys immediately after making them. Do:
chmod 0640 hostname.example.com.key
Step 3: Generate your SSL Certificate
Display the contents of your CSR with:
cat hostname.example.com.csr
Copy the entire contents of the file (including the:
-----BEGIN CERTIFICATE REQUEST-----
and
-----END CERTIFICATE REQUEST-----
lines into your clipboard, then paste them into the text area of the StartSSL CSR request.
Hit the Submit button, and then select the specific subdomain and domain where others will “see” the certificate for verification, such as mail.example.com or www.example.com. This might be the same as the hostname and domain of your server, but it’s likely to be a CNAME that points to one or more different hosts. For the free Class 1 certificate, you can include your domain and only one subdomain. This means the certificate will work for example.com + www.example.com, or example.com + mail.example.com.
If you want your certificate to work for two or more subdomains in addition to the primary domain, you’ll need to pay $59.99 to become Class 2 verified. But the good news is that you can then generate unlimited Class 2 certificates, which allow multiple and/or wildcard subdomains on your certificates. That’s what I did years ago, and it’s still a bargain.
After your request is processed, you’ll be able to download the signed certificate from StartSSL.
Step 4: Download Your SSL Certificate and Authority Bundle
When downloading my certificate from StartSSL, I prefer to download it from the StartSSL Tool Box, because it allows me to get my certificate, as well as any intermediate and root certificates at the same time. To the Tool Box, then click Certificates List. Find your newly minted certificate (it should be at the top of the list), and click Retrieve. This will download a zip archive that contains your SSL certificate and the StartSSL root bundle in a variety of different formats for different uses. Upload the zip file to your server’s /etc/ssl working directory, and then unzip it… to reveal four more zip files. Most users will be interested in the ApacheServer.zip file, so unzip that and you’ll see the following two files:
- 1_root_bundle.crt
- 2_hostname.example.com.crt
Rename these files with:
mv 1_root_bundle.crt startssl-root-bundle.crt mv 2_hostname.example.com.crt hostname.example.com.crt
At this point, you should have your key file, certificate signing request (CSR) and SSL certificate (CRT) together in your /etc/ssl directory. It’s a good idea to backup all three files and store them somewhere secure. I use a secure USB key that I store in a fireproof safe. While you may never need your CSR again, and you can always download your CRT again from StartSSL, your .key file is irreplaceable at this point. If you lose it or accidentally delete it, you’ll have to revoke your certificate and start over, which will cost you $25.
Step 5: Put Your SSL Files Where You Want Them and Use Them
At this point, it’s up to you where you want to permanently store your .key and .crt files, and how you want to use them. You can keep them all in /etc/ssl, if you want. Old-school Linux geeks might move them to /etc/pki/tls/private and /etc/pki/tls/certs respectively. I at least recommend storing the .key and .crt files in separate directories, such as /etc/ssl/private and /etc/ssl/certs. Maybe you want to cover all your bases and create symlinks from /etc/ssl/private -> /etc/pki/tls/private and /etc/ssl/certs -> /etc/pki/tls/certs (that’s what I do). Just be aware of the ownership and permissions of the folders you use, and always make those permissions ensure that your private key is kept private.
Step 6: Including the StartSSL CA File in your Certificate Bundle
Certificates are about trust, and depending on how you plan to use your SSL certificate, you may need to “inform” your server that you trust StartSSL’s authority. A list of certificate authorities that your server trusts are stored in what’s often called a Certificate Bundle, Certificate Authority Bundle, or simply CA Bundle. If you have a pre-existing certificate bundle file somewhere on your server (such as ca-bundle.crt or cacert.pem), you may want to store it into your /etc/ssl or /etc/pki/tls/certs directory. Assuming your existing bundle is named ca-bundle.crt, you’ll need to add the StartSSL root bundle (the one you unzipped and renamed earlier) to your existing CA bundle with:
cat startssl-root-bundle.crt >> ca-bundle.crt
That’s It!
Congratulations. You’ve successfully generated a private key, certificate signing request (CSR), and downloaded a signed SSL certificate from a trusted certificate authority. You’ll have to renew it when it eventually expires, but you can do so by simply repeating the above steps and over-writing your old .key and .crt files with the new ones.
Now get out there and be secure!