Free SSL certificates without the browser warning? Yes! It's possible!
When I need SSL encryption for some admin panel on one of my websites I usually use the snakeoil certificate that comes with the installation of the ubuntu OS (
/etc/ssl/certs/ssl-cert-snakeoil.pem). But I can not use this method for a serious web page where I would like to provide ssl for the visitors. The browsers will warn as the certificate was not signed by a well known certificate authority (CA).
The reason you might not want a CA to sign your certificate is that it costs money, at least that is what I have been thinking till now. I just found this CA: http://www.startssl.com
Their site looks like crap (sorry) and they do not seem to be that well known. But their site works very well and you can get your signed CA for free in just a few minutes!
Tell your webmaster friends! :D
This is how I generate my certificate signing request (CSR):
openssl genrsa -des3 -out website.com.key 2048 openssl rsa -in website.com.key -out website.com.key.insecure openssl req -new -key website.com.key.insecure -out website.com.csr
Then I use the
website.com.csr at the startssl.com website to get my certificate which I save as:
You also need some intermediate certificates installed on your server. Read more about that here: http://www.startssl.com/?app=25#31
After that my apache configuration for the website looks like this:
<VirtualHost *:80> ServerName website.com ServerAlias *.website.com DocumentRoot /home/username/files/websites/website.com/webroot/ <Directory "/home/username/files/websites/website.com/webroot/" > Order allow,deny allow from all AllowOverride All </Directory> </VirtualHost> <VirtualHost *:443> ServerName website.com ServerAlias *.website.com DocumentRoot /home/username/files/websites/website.com/webroot/ <Directory "/home/username/files/websites/website.com/webroot/" > Order allow,deny allow from all AllowOverride All </Directory> SSLEngine on SSLCertificateFile /etc/apache2/certs/website.com.crt SSLCertificateKeyFile /etc/apache2/certs/website.com.key.insecure SSLCertificateChainFile /etc/apache2/certs/startcom/sub.class1.server.ca.pem SSLCACertificateFile /etc/apache2/certs/startcom/ca.pem <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown </VirtualHost>