StartSSL certificates with Apache mod_ssl

I have been using StartSSL for free SSL certificates for a while. They are great for personal projects – they are trusted by every device I have tried so far and they are issued almost immediately. You can test if the certificate is trusted by accessing this post as https – click here. Note that certificates that are generated are for both the root domain and the subdomain you select (so the SSL cert for is also valid for

To get started with a StartSSL certificate go to the website and sign up and get your account activated. There are different account levels – the free account level (level 1) does not let you generate wildcard certificates, there is a small fee though if you need to do that and you can generate unlimited wildcards. Once your account has been activated you then need to validate your domain, do this from the “Validations Wizard” inside the StartSSL control panel (make sure you select domain validation). Once the domain has been validated you can then continue to the next step.

Generate a CSR and key file (this is optional, but I like to do this myself). The following command will generate two files: csr.csr and key.key. You do not need to fill out anything when you are prompted, just keep hitting enter. The CSR data will not be used anyway.

root@server:/tmp# openssl req -out csr.csr -new -newkey rsa:4096 -nodes -keyout key.key
Generating a 4096 bit RSA private key
writing new private key to 'key.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [US]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Select the “Certificates Wizard” option from the StartSSL control panel. Select “Web Server SSL” from the “Certificate Target” drop down and click continue. Skip the “Generate Private Key” step – we have done this above. Paste the contents of the “csr.csr” file into the CSR text box and continue. The CSR can be removed, it is no longer needed.

Your SSL certificate will then either be issued instantly or validated. The validation usually takes about 10-15 minutes. Once the certificate has been issued it is time to install it.

Get a copy of the StartSSL CA to avoid errors when clients connect – depending on your account level there is a different CA. In the StartSSL tool box select “StartCom CA Certificates” and download the appropriate one (free accounts are the “Class 1 Intermediate Server CA”). I will stick the certificates in /etc/apache2/ssl for this example:

root@server:/tmp# wget -O /etc/apache2/ssl/startssl_class1_intermediate_ca.crt

Move the /tmp/key.key file to /etc/apache2/ssl/ Select “Retrieve Certificate” from the StartSSL tool box and place that certificate into the file /etc/apache2/ssl/ Make sure you fix up the permissions so they are not wide open on the private key.

You can then add the SSL vhost to Apache as usual, as an example:

  ServerAdmin [email protected]


  DocumentRoot /home/site/public_html/

    Options -Indexes SymLinksIfOwnerMatch
    AllowOverride All
    Order allow,deny
    allow from all

  # Include /etc/apache2/includes/

  LogLevel warn
  ErrorLog /var/log/apache2/
  CustomLog /var/log/apache2/ combined

  SSLEngine on
  SSLCertificateFile /etc/apache2/ssl/
  SSLCertificateKeyFile /etc/apache2/ssl/
  SSLCertificateChainFile /etc/apache2/ssl/startssl_class1_intermediate_ca.crt

If you leave out the SSLCertificateChainFile part from the configuration you will most likely get an error about the SSL certificate not being trusted. This is because the CA certificate is needed to establish the chain of trust so put that in the configuration.

With new certificates you may get an error similar to this when browsing to the site (this is from FireFox):

Secure Connection Failed
An error occurred during a connection to

The OCSP server has no status for the certificate.

(Error code: sec_error_ocsp_unknown_cert)

This will resolve itself within about 24 hours or so, see the StartSSL forum topic on it here. If you would like to disable OCSP as a temporary work around (remember to enable it when you are done) this can be done in FireFox by browsing to about:config and setting security.OCSP.enabled to “0” (“1” will enable checking again).

Posted in Linux, Web and tagged , , , , , , .

Leave a Reply

Your email address will not be published. Required fields are marked *