StartSSL certificates with Apache mod_ssl

I have been using StartSSL for free SSL certificates for a while. They are great for personal projects – they are trusted by every device I have tried so far and they are issued almost immediately. You can test if the certificate is trusted by accessing this post as https – click here. Note that certificates that are generated are for both the root domain and the subdomain you select (so the SSL cert for www.sysadminblog.net is also valid for sysadminblog.net).


To get started with a StartSSL certificate go to the website and sign up and get your account activated. There are different account levels – the free account level (level 1) does not let you generate wildcard certificates, there is a small fee though if you need to do that and you can generate unlimited wildcards. Once your account has been activated you then need to validate your domain, do this from the “Validations Wizard” inside the StartSSL control panel (make sure you select domain validation). Once the domain has been validated you can then continue to the next step.

Generate a CSR and key file (this is optional, but I like to do this myself). The following command will generate two files: csr.csr and key.key. You do not need to fill out anything when you are prompted, just keep hitting enter. The CSR data will not be used anyway.

Select the “Certificates Wizard” option from the StartSSL control panel. Select “Web Server SSL” from the “Certificate Target” drop down and click continue. Skip the “Generate Private Key” step – we have done this above. Paste the contents of the “csr.csr” file into the CSR text box and continue. The CSR can be removed, it is no longer needed.

Your SSL certificate will then either be issued instantly or validated. The validation usually takes about 10-15 minutes. Once the certificate has been issued it is time to install it.

Get a copy of the StartSSL CA to avoid errors when clients connect – depending on your account level there is a different CA. In the StartSSL tool box select “StartCom CA Certificates” and download the appropriate one (free accounts are the “Class 1 Intermediate Server CA”). I will stick the certificates in /etc/apache2/ssl for this example:

Move the /tmp/key.key file to /etc/apache2/ssl/mysslsite.com.key. Select “Retrieve Certificate” from the StartSSL tool box and place that certificate into the file /etc/apache2/ssl/mysslsite.com.crt. Make sure you fix up the permissions so they are not wide open on the private key.

You can then add the SSL vhost to Apache as usual, as an example:

If you leave out the SSLCertificateChainFile part from the configuration you will most likely get an error about the SSL certificate not being trusted. This is because the CA certificate is needed to establish the chain of trust so put that in the configuration.

With new certificates you may get an error similar to this when browsing to the site (this is from FireFox):

This will resolve itself within about 24 hours or so, see the StartSSL forum topic on it here. If you would like to disable OCSP as a temporary work around (remember to enable it when you are done) this can be done in FireFox by browsing to about:config and setting security.OCSP.enabled to “0” (“1” will enable checking again).

Posted in Linux, Web and tagged , , , , , , .

Leave a Reply

Your email address will not be published.