How to obtain and install an SSL certificate for free

Anyone operating a server on any scale you want a digital certificate to encrypt data between clients and services, either to the personnel office, or public use. This is a general statement, but true, no matter how you look.

With so many people access the network via WiFi or other untrusted network to a growing number of different types of services, calendars, contacts, webmail, email, etc. Encryption is a must, whether via a VPN or for provide services one by one. Although I recommend, VPN, they are not always a practical, affordable and sustainable. To access the email remotely, SSL / TLS simpler and more direct, and you do not have to compromise on protection in the process.

Can not be imposed to make technical and install a digital certificate, even if it has a high utility value, so I’m here to make it easier by breaking it down into steps that someone with no knowledge of encryption and command line must be able to work with.

I will begin with an explanation of how digital certificates to create encrypted sessions. Then I will describe how to get a free StartCom certificate such a simple thing, before you give some examples of how to install certificates.

Secret Handshake

A digital certificate is presented in the form of a server-side TLS certificate. TLS stands for Transport Layer Security, and in common use, it is a method to combine the advantages of public key cryptography, third external (out-of-band) validation and session encryption.

(TLS is the modern name for SSL, the previous standard, this method is called SSL / TLS to alert people who know the former name is the same thing. Then we will call TLS).

Public key cryptography allows a party to send information to another, hidden by a public key that can be freely distributed. The receiving party has a private key that is kept strictly confidential and is the only component that can extract the original message of the payload encrypted public key.

Public keys are difficult to handle for encrypting long strings of text and quickly to encrypt data streams, such as file transfer via e-mail or web transactions. Philip Zimmermann created PGP in 1991 as a way to avoid this. The transaction is the public key is used to exchange a session key that is strong symmetry: both parties use the same key to encrypt and decrypt. The key is passed with the utmost security through public key transaction, which makes the process impenetrable to sniffers and “man in the middle” attacks.

Certificates can be generated by domain names and other information about the party just about anyone to produce a certificate should not be the rightful owner of a domain, or information. So, just like PGP and GPG open-source alternative (and SSH, and many other similar methods), you need an out-of-band method to confirm that the person that the certificate really is who they say they are.

This is where CAs (CA) come in. A CA is a group that provides a large surface validation (for Extended Validation Certificates), the party who signed a certificate for a particular domain name is of this entity.

When you connect via a browser to a secure website, for example, the browser did some handshaking with the server receives a certificate containing a public key and other data presented, and then turns into a CA to confirm that the certificate is valid.

CAs are pre-installed in browsers, client software and operating systems, while the CA itself is validated by the software developer or manufacturer OS. This is out-of-band trust come to CA!

Firefox warns you when startssl requests a personal certificate to identify you.

If your browser is mathematically certain that the certificate is valid from a part of this area, the key is exchanged, and a session is encrypted.

You can sign their digital certificates, essentially acting as your own CA, but it is a problem. Because a client and / or operating system is unaware that GlennFleishmanCA real authority, the client or the operating system must convince a user to accept a trusting relationship. According to the process, the user may be able to rely on a single session or not, or accept the authority of a certification permanently.

Organization, a self-signed cert will not work because you can tell the CA signature acceptable to all, or you can pre-install the root CA authority’s own computer to any person. (This can be as simple as dragging a file system manager as a whole key, and click Import to import, or by clicking a few dialog boxes.)

But instead of all that labor and management, especially as new employees or colleagues come and go, it makes more sense to get a complete CA-validated certificate. And you can get one for free.

Start with startssl

Service provides a StartSSL StartCom Class 1 certificate free of charge, which charges more to strengthen the identity (see diagram comparison site). Basic Class 1 certificate does not confirm details, contact by e-mail known as a domain is the only real verification. Class 2 or 3 certificates, the identity or the identity of the organization is $ 40 for two years. Extended Validation Certificates, which uses the industry standard to verify the sender, is $ 110 for two years, and tells the browser to display a green connection bars.

Although startssl is free, it is not a clear process for those who have not created a certificate before. Let me tell you how to go through the site.

StartSSL using an S / MIME certificate personal, then you can log in after registration. This is certainly more complicated than that requires a username and password, but it is apparently much more reliable because you have this cert that can not be intercepted by a network or captured by the keyboard control. Direct access to another computer, possibly with additional passwords that would be required for access. (Once you have created S / MIME certificate, you can use it to sign emails in applications that support S / MIME).

(Note: Safari 4 for Mac OS X is unable to interact properly with startssl site to download the certificate, validation or selection menu using Firefox on Mac OS X or Firefox or Internet Explorer on Windows instead .. )

Firefox handles personal certificates of the Options window, under Advanced> Encryption> Your Certificates

Start or authenticate the registration page.

Click Register.

Complete registration details and personal click Continue. (STARTTLS offers many curses against any attempt to falsify data here).

Check the email account to the address you provided in step 3, get the validation code, enter it and click Continue to proceed.

Subsequently, StartSSL generate the private key needed to authenticate the client certificate, it gives you. There is no reason to choose a non-2048 (High Grade) as an option. Click on Continue.

Click Install when the Install button appears. It should be a background process automatically. In Firefox the certificate is installed in an internal database, where it can be exported. (If you want to use these powers with another browser, you can download them again from startssl site or you can export the certificate from Firefox and drag or import of any other browser on the same or another computer.)

Click Finish and you are redirected to a page on the control panel approved.

Cert S / MIME is crucial to use the site again, so you should make a backup copy of the certificate. In Firefox via the Advanced Encryption tab preferences, you can export a certificate, select View Certificates, select a certificate from StartCom Your Certificates tab and click Save. After setting a password and mandatory export the certificate, it can be imported into other programs that read the certificate format. See response 4 of the FAQ for Internet Explorer export.