StartCom operates the StartCom Certification Authority (CA) since 2005, providing different levels of SSL Certification Authorities to support business and personal use. The very first CA level of StartCom, SSL CA, is provided for free without usage limitation. That is more than enough to have SSL installed on our website. Once registered, a client certificate is issued at no charge as proof of identity. You need to use this client certificate and designated browser to log onto StartCom. In the following steps, I will show how to get a StartCom client certificate.
- Visit StartCom website: https://www.startssl.com/
- Select "Control Panel" then "Express Lane". Please carefully enter your personal/business information then select "Continue".
- On receiving the verification code sent by StartCom via email, enter it under the required box then choose "Continue".
- And again, more verification which may take up to 24h is needed. When approved, please open the webpage using the URL provided in the approval email, enter the approval code then continue.
- Select "Continue" in every step to use the default settings; provide a protection password when asked. Please remember the password as it is used for importation the certification into browser later. A "congratulations" dialog is shown when you are done with client certificate registration.
At this point, you have done with account registration at StartCom. You may want to export the client certificate from browser to file: In Firefox, select "Options" -> "Advanced" -> "Encryption". Select the certificate then choose "Back up". If the OS or browser are reinstalled for some reasons, the client certificate needs to be imported from the backup file into the browser to log onto StartCom: In Firefox, select "Options" -> "Advanced" -> "Encryption" -> "View Certificates" -> "Your Certificates"; browse for the backup file in, then enter the protection password when asked.
Install StartCom SSL certificate for your website
Now, I will show how to install SSL certificate, assuming the domain name of certificated website is "a.b.com".
- Log into StartCom website at: http://www.startssl.com/?app=1
- Domain validation- This is to prove that you own the domain, and is done once for every 30-day usage. Follow the steps, below:
- Select "Validation Wizard".
- Enter the domain name (base or first level), e.g "b.com", then continue.
- Select the right email address of the domain's owner, continue.
- Check for email, get the code then back to this wizard.
- If everything is done without problem then go to the next step.
- Get the private key
- Select Certificates Wizard.
- Certificate Target: Web server, continue.
- Enter the domain name, then select "Generated by Myself"; At the sametime, use the following Linux command to generate key pair files
Copy the content of the .scr file into the input box on the website then select submit.
# the command requires entering key-password to seal the files
openssl req -newkey rsa:2048 -keyout a.b.com.key.txt -out alu.tinyray.com.csr.txt
- Generate the key file
# enter the key-password used in the previous step once asked
openssl rsa -in a.b.com.key.txt -out a.b.com.key
- Select "Certificate list" under "Tool box" on the website then download the a.b.com.crt file
- Go to step 6
- Request for domain certificate
- Select the top domain (first level, e.g. b.com), continue.
- Enter the sub-domain name, e.g "a.b.com", continue.
- Confirm the input, continue.
- WAIT FOR THEIR APPROVAL on this certificate request.
- Once got email (1h-3h), copy the serial# and visit the link provided in the email.
- In StartCom control panel, select "Tool box".
- Select "Retrieve Certificate".
- Select the sub-domain, e.g "a.b.com", continue.
- Copy the key content, save to "a.b.com.crt.txt" file.
- Generate the key pair for website Please use "class 2" certificate in case of "class1" certificate is in the instructions below.
- Configure nginx server- This to implement the pair of key and certificate created In the server section:
listen 443 ssl;
listen [::]:443 ipv6only=on ssl;
- Reload nginx
- Additional works
- Enable the https port: 443
iptables -A INPUT -p tcp --dport 443 -j ACCEPT/DROP
- Update iptables
That's it! Now, we can enjoy the website using https protocol. :)