SSL how to: Get a server certificate from StartSSL.com

In this and a few later articles I am going to decribe how to install TLS/SSL certificate on lighttpd, vsftpd, Postfix, Dovecot, eJabberd and may be Apache. I also wanted to do this using the free SSL provider, StartSSL. However, if you are going to use certificate for testing & development purposes, you may want to read article about "self-signed" ssl certificates creation.

Install common CA certificates

$ aptitude install ssl-cert ca-certificates

Signup at StartSSL.com

Once your have registered you need to add your domain and the verify the domain addition from the email that gets sent out.

Create a Certificate Signing Request

$ openssl req -new -newkey rsa:2048 -nodes -keyout www_privatekey.pem -out www_csr.pem

Sample

Generating a 2048 bit RSA private key
 ..................................++++++
 ....................++++++
 writing new private key to 'www_privatekey.pem'
 -----
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [AU]:UA
 State or Province Name (full name) [Some-State]:Some state
 Locality Name (eg, city) []:Some City
 Organization Name (eg, company) [Internet Widgits Pty Ltd]:Some Organisation
 Organizational Unit Name (eg, section) []:IT
 Common Name (eg, YOUR name) []:www.example.org
 Email Address []:test@example.org
 
 Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:
 An optional company name []:

Verify the content of your request

You should also verify on content of request with

$ openssl req -in www_csr.pem -text -verify -noout

before sending it.

Send your public key to be signed by StartSSL authority

Request a new server certificate from the StartSSL web site. When you are asked for CSR paste content of 'www_csr.pem' to box.

Save your server certificate

Copy certificate from web page and put in 'www_certificate.pem' file. You check contents of this file with...

$ openssl x509 -in www_certificate.pem -text -noout

Test your server certificate

You should test your server certificate like this:

$ openssl verify www_certificate.pem 

If everything is working, you should see "OK", for example.

www_certificate.pem: OK

Here I should mention that you may not get OK response here (for example if you are working under Fedora Core), as sertificate does not contain CA servificates, you can concatenate certificates and verification will return OK response, but you really do not have to do this, as different software requires different settings. I will describe this in my later articles.

Posted by:
Enjoyed this post? Share and Leave a comment below, thanks! :)