Free SSL certificates without the browser warning? Yes! It's possible!



When I need SSL encryption for some admin panel on one of my websites I usually use the snakeoil certificate that comes with the installation of the ubuntu OS (/etc/ssl/certs/ssl-cert-snakeoil.pem). But I can not use this method for a serious web page where I would like to provide ssl for the visitors. The browsers will warn as the certificate was not signed by a well known certificate authority (CA).

The reason you might not want a CA to sign your certificate is that it costs money, at least that is what I have been thinking till now. I just found this CA: http://www.startssl.com

Their site looks like crap (sorry) and they do not seem to be that well known. But their site works very well and you can get your signed CA for free in just a few minutes!

Tell your webmaster friends! :D

This is how I generate my certificate signing request (CSR):

openssl genrsa -des3 -out website.com.key 2048
openssl rsa -in website.com.key -out website.com.key.insecure
openssl req -new -key website.com.key.insecure -out website.com.csr

Then I use the website.com.csr at the startssl.com website to get my certificate which I save as: website.com.crt.

You also need some intermediate certificates installed on your server. Read more about that here: http://www.startssl.com/?app=25#31

After that my apache configuration for the website looks like this:

<VirtualHost *:80>
ServerName website.com
ServerAlias *.website.com

DocumentRoot /home/username/files/websites/website.com/webroot/
<Directory "/home/username/files/websites/website.com/webroot/" >
Order allow,deny
allow from all
AllowOverride All
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerName website.com
ServerAlias *.website.com

DocumentRoot /home/username/files/websites/website.com/webroot/
<Directory "/home/username/files/websites/website.com/webroot/" >
Order allow,deny
allow from all
AllowOverride All
</Directory>

SSLEngine on
SSLCertificateFile       /etc/apache2/certs/website.com.crt
SSLCertificateKeyFile    /etc/apache2/certs/website.com.key.insecure
SSLCertificateChainFile  /etc/apache2/certs/startcom/sub.class1.server.ca.pem
SSLCACertificateFile     /etc/apache2/certs/startcom/ca.pem
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>