StartCom operates the StartCom Certification Authority (CA) since 2005, providing different levels of SSL Certification Authorities to support business and personal use. The very first CA level of StartCom, SSL CA, is provided for free without usage limitation. That is more than enough to have SSL installed on our website. Once registered, a client certificate is issued at no charge as proof of identity. You need to use this client certificate and designated browser to log onto StartCom. In the following steps, I will show how to get a StartCom client certificate.

1. Visit StartCom website: https://www.startssl.com/
2. Select "Control Panel" then "Express Lane". Please carefully enter your personal/business information then select "Continue".
3. On receiving the verification code sent by StartCom via email, enter it under the required box then choose "Continue".
4. And again, more verification which may take up to 24h is needed. When approved, please open the webpage using the URL provided in the approval email, enter the approval code then continue.
5. Select "Continue" in every step to use the default settings; provide a protection password when asked. Please remember the password as it is used for importation the certification into browser later. A "congratulations" dialog is shown when you are done with client certificate registration.

At this point, you have done with account registration at StartCom. You may want to export the client certificate from browser to file: In Firefox, select "Options" -> "Advanced" -> "Encryption". Select the certificate then choose "Back up". If the OS or browser are reinstalled for some reasons, the client certificate needs to be imported from the backup file into the browser to log onto StartCom: In Firefox, select "Options" -> "Advanced" -> "Encryption" -> "View Certificates" -> "Your Certificates"; browse for the backup file in, then enter the protection password when asked.

Install StartCom SSL certificate for your website

Now, I will show how to install SSL certificate, assuming the domain name of certificated website is "a.b.com".

1. Log into StartCom website at: http://www.startssl.com/?app=1
2. Domain validation- This is to prove that you own the domain, and is done once for every 30-day usage. Follow the steps, below:
   • Select "Validation Wizard".
   • Enter the domain name (base or first level), e.g "b.com", then continue.
   • Select the right email address of the domain's owner, continue.
   • Check for email, get the code then back to this wizard.
   • If everything is done without problem then go to the next step.
3. Get the private key
   • Select Certificates Wizard.
   • Certificate Target: Web server, continue.
   • Enter the domain name, then select "Generated by Myself"; At the sametime, use the following Linux command to generate key pair files

     # the command requires entering key-password to seal the files
     openssl req -newkey rsa:2048 -keyout a.b.com.key.txt -out alu.tinyray.com.csr.txt

     Copy the content of the .scr file into the input box on the website then select submit.
   • Generate the key file

     # enter the key-password used in the previous step once asked
     openssl rsa -in a.b.com.key.txt -out a.b.com.key

   • Select "Certificate list" under "Tool box" on the website then download the a.b.com.crt file
   • Go to step 6
4. Request for domain certificate
   • Select the top domain (first level, e.g. b.com), continue.
   • Enter the sub-domain name, e.g "a.b.com", continue.
   • Confirm the input, continue.
   • WAIT FOR THEIR APPROVAL on this certificate request.
   • Once got email (1h-3h), copy the serial# and visit the link provided in the email.
   • In StartCom control panel, select "Tool box".
   • Select "Retrieve Certificate".
   • Select the sub-domain, e.g "a.b.com", continue.
   • Copy the key content, save to "a.b.com.crt.txt" file.
5. Generate the key pair for website Please use "class 2" certificate in case of "class1" certificate is in the instructions below.
   • Decrypt the private key using the private key password which was entered when we created the key. If we do not provide the password then nginx/apache will ask each time it starts.
     openssl rsa -in a.b.com.key.txt -out a.b.com.key
   • Protect the generated key from prying eyes:
     chmod 0600 a.b.com.key
   • Fetch the root CA and class1 intermediate server CA:

     wget http://www.startssl.com/certs/ca.pem 
     wget http://www.startssl.com/certs/sub.class1.server.ca.pem

   • Create a unified certificate from the created certificate and the server CA:
     cat a.b.com.crt.txt sub.class1.server.ca.pem ca.pem > a.b.com.crt

     NOTE: When working on Windows, we need to add an '\n', using vi, at the end of the last line in "a.b.com.crt.txt" so that this file content and the content of "sub.class1.server.ca.pem" in the "ssl-unified.crt" should be separated by:

     -----END CERTIFICATE-----
     -----BEGIN CERTIFICATE-----

     a.b.com.crt and a.b.com.key are the key pair for the website, upload them to server, into a folder of secret.

6. Configure nginx server- This to implement the pair of key and certificate created In the server section:

   listen 443 ssl;
   listen [::]:443 ipv6only=on ssl;
   #ssl on;
   ssl_certificate /a.b.com.com.crt;
   ssl_certificate_key /a.b.com.key;

7. Reload nginx
   /etc/init.d/nginx reload
8. Additional works
   - Enable the https port: 443
   iptables -A INPUT -p tcp --dport 443 -j ACCEPT/DROP
   - Update iptables
   iptables-save

That's it! Now, we can enjoy the website using https protocol. :)