As you known, since August 2014, Google announced that theyre starting to use HTTPS as a ranking signal. Don’t care about it too much because it is simply one more ranking signal among the other speculated 200 signals Google uses to rank websites. But it has stated that this may change over time as Google encourages all site owners to switch from HTTP to HTTPS.
Are you Webmaster? Or you owned one or more than one websites? In this article I’ll describe how to get a FREE SSL/TLS certificate as a simple case without pay $50-$60 for similar services.
Why you can’t use a self-signed certificate
Yes, you can self-signed your certificate and implent it into your server but it is NOT verified or it is not a valid certificate. When a visitor come to your website, they will get a warning message about the un-secured connection and ask they install the certificate (by trusting it permanently). Why?
When you connect via a browser to a secure website, for instance, the browser does some handshaking with the server, receives a certificate which contains a public key and some other fielded data, and then turns to a CA to confirm that the certificate is valid. If the certificate has a valid signature from a third party that your browser trusts, then it will trust the remote server. That’s mean you need a person / organizer to confirm your certificate is valid. That’s where certificate authorities (CAs) come in. A CA is a group that provides some validation, from cursory to extensive (in the case of Extended Validation certificates), that the party that signed up for a certificate for a given domain name is approximately that entity.
How To Get Your Very Own Free SSL Certificate
Most Certificate Authorities (CA) charge a lot of money to verify your company to use an SSL certificate. For those us who don’t run mission critical portals, that is not an option. You can get one free from StartComSSL and CAcert.
They were:
- The main technical disadvantage would only be that if a free CA is not widely accepted by browser or operating system makers, then the certificates they generate may also not be trusted.
- Only class-1 validation are free. That is I can have a certificate that validates my identity.
- I didn’t get a reminder email when the certificate expired. Having to renew the certificate every year.
- A certificate is only valid for one domain is quite limiting. Every different subdomain needs its own certificate; they can’t use UCC or wildcards. This may get complicated quickly.
- You must backup your keys based on an installed client certificate in your browser, they don’t backup for you. This can be an issue if you change computers or upgrade your OS and didn’t keep a backup of installed client certificates.
- There are two things that could cost you money.
- You need more features or full features of SSL/TSL certificate, they’ll ask you to pay for a higher level certificate.
- If your certificate needs to be revoked someday, they will charge you a fee.
Get FREE SSL/TSL Certificate from StartComSSL
StartCom’s StartSSL service offers a Class 1 certificate at no cost, with fees for higher levels of identity validation. Essentially, you pay for validations, not certificates.
- A basic Class 1 certificate doesn’t validate all your details; email to a known domain contact address is the only real check.
- A Class 2 or 3 certificate with your identity or your organization’s identity is $60 for two years. An extended validation certificate, which uses an industry standard for checking a submitter’s details, is $140 for two years, and will tell a browser to show a green bar on connection.
To get started, visit their signup page and enter your information.
They’ll email you a verification code. They tell you to not close the tab or navigate away from it, so just keep it open until you get the code, and can paste it in.
You’ll need to wait for certification, but it should only take a few minutes. Once you’re approved, they’ll email you a special link and a verification code to type in.
That’ll bring you to a screen to generate a private key. They’re generating you this private key inside your browser. They will ask you to Generate a private key and you will be provided with the choice of High or Medium grade. Go ahead and choose High. However, this isn’t the key you use to make your SSL certificate. They’re using it to create a separate “authentication certificate” that you will use to log in to StartSSL’s control panel going forward. You’ll make a separate certificate for your website later.
Once your key is ready, click Install. This means your browser is now authenticated with your new certificate and you can log into the StartSSL authentication areas using your new certificate. Click on the Control panel link again, and choose the Authenticate option.
You will need to validate your domain name to prove that you own the domain you are setting up a certificate for. Click over to the Validations Wizard and set Type to Domain Name Validation.
Check the email inbox for the email address you selected. You will get yet another verification email at that address, so like before, copy and paste the verification code into the StartSSL website.
Next, go to the Certificates Wizard tab and choose to create a Web Server SSL/TLS Certificate. After provide Private Key Password you will receive a private RSA SSL key
When you click continue, you will be asked which domain you want to create the certificate for:
You will be asked what subdomain you want to create a certificate for. In most cases, you want to choose www
here, but if you’d like to use a different subdomain with SSL. Then you get a confirm page before Processing Certificate
When StartComSSL finished, you save your certificate as ssl.crt
then use it for your VPS.
Don’t for get to save the StartCom Root CA and StartSSL’s Class 1 Intermediate Server CA in order to authenticate your website though, they provide the links about Finish button or you can find it in Toolbox panel and choose StartCom CA Certificates.
CAcert Free Certificate Authority
CAcert is the completely free Certificate Authority. But the most disadvantages is CAcert Certificates aren’t currently trusted in any major browsers.
- It is currently only included in a few open source operating systems.
- You must complete a face-to-face validation for a certificate that lasts more than 6 months.
- No EV SSL Certificates are offered.
You can get your own free CAcert by following their register form.
Setting up SSL/TSL for Nginx and Apache web server
For security reasons, StartSSL encrypts your private key (the ssl.key file), but your web server needs the unencrypted version of it to handle your site’s encryption. To unencrypt it, copy it onto your server, and use the following command to decrypt it into the file private.key:
$ openssl rsa -in ssl.key -out private.key
OpenSSL will ask you for your password, so enter it in the password you typed in on StartSSL’s website. Alternatively you can also use the Tool Box decryption tool of your StartSSL™ account.
Prerequisites
Before we get started, here are the list of things you need prepared:
- ca.pem – StartSSL’s Root certificate
- private.key – The unencrypted version of your private key (be very careful no one else has access to this file!)
- sub.class1.server.ca.pem – The intermediate certificate for StartSSL
- ssl.key – The encrypted version of your private key (does not need to be copied to server)
- ssl.crt – Your new certificate
- make sure port 443 is open on your web server.
Activating SSL/TSL certificate for Nginx
We’re storing all requirement files ing /etc/nginx/certs/
Download the intermediate certificate from StartSSL:
# wget https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem
Create a unified certificate from your certificate and the CA certificates:
# cat ssl.crt sub.class1.server.ca.pem ca.pem > /etc/nginx/certs/ssl-unified.crt
Configure your nginx server to use the new key and certificate (in the global settings or a server section):
server {
listen 80;
server_name narga.net;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name narga.net;
ssl_certificate /etc/nginx/certs/ssl-unified.crt;
ssl_certificate_key /etc/nginx/certs/private.key;
}
# An example nginx configuration from narga.net
Finally, restart your nginx service and don’t forget to check its configuration are valid.
$ nginx -t
$ sudo systemctl restart nginx
Activating SSL/TSL for Apache server
First of all you have to load the mod_ssl
module. Enable Apache’s SSL module, and restart Apache.
$ sudo a2enmod ssl
sudo systemctl restart httpd
sudo mkdir -p /etc/httpd/ssl
Copy the files you set up in the previous section into the /etc/httpd/ssl
folder on your VPS.
To configure a default SSL/TLS aware virtual server, you should add at least the following lines to your httpd.conf
or ssl.conf
file:
LoadModule ssl_module modules/mod_ssl.so
Listen 443
DocumentRoot /home/httpd/private
ErrorLog /usr/local/apache/logs/error_log
TransferLog /usr/local/apache/logs/access_log
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /usr/local/apache/conf/ssl.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key
SSLCertificateChainFile /usr/local/apache/conf/sub.class1.server.ca.pem
CustomLog /usr/local/apache/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
If everything looks good, try accessing your site in your web browser using an HTTPS URL, if you find green lock
you’ve done.
Reference Links:
Hi N,
I see you use Digital Ocean VPS and that you stated that you run more one website on a Droplet. How do you have say 5 SSL certificates on the same Droplet?
I have 5 completely different domains and want to get 5 StartSSL certificates for these 5 domains and install it on my Droplet – How do I do this?
Thanks,
JJ
Just follow this guide, I’ve done with this but I recommend you separate them in each droplets.
How To Set Up Multiple SSL Certificates on One IP with Nginx
Thanks Narga,
Do you run any mail servers on your droplets?
If yes, then which do you use / recommend?
If not, then why? And who do you use?
I’m moving away from Hostgator too but not sure what to do about mail?
Thanks,
JJ
Currently, I’m not using any mail server because it’s hard to setup and low authority for sending email (your emails will catching in Bulk or Spam folder), I use Gmail to send mail instead mail servers, it’s configurable with
php.ini
.To send multi emails as newsletter task, I’m using Mailchimp.