Renewing my Free SSL certificate with StartCom

Since my Secure Sockets Layer (SSL) certificate needs are quite modest, I use the free SSL certificates from StartCom. Here are my instructions for renewing it, which is almost identical to the process for creating an SSL certificate with StartCom.

  1. Go to the main site, and log in with your StartSSL Open Identity certificate. Create one if need be.
  2. Validate your email address in the resulting dashboard. The validation will be in force for 30 days.
  3. Validate every domain you wish to renew.
  4. Generate the certificate for the domain you are renewing.
    1. Select the StartCom SSL Certificates Wizard.
    2. Choose Web Server SSL/TLS Certificate, and click Continue.
    3. Your validated domain should show in the list. Enter the domain you’re generating the keys for into the “Please enter your full hostname here” input field.
    4. Under “Please submit your Certificate Signing Request (CSR):” select “Generated by Myself”. You can use the form, but generally I remember reading that it’s more secure for you to generate your Certificate Request (CSR) and private key from it yourself, using an offline OpenSSL script invocation. The present a suitable openssl command invocation, to which I added the -subj option to avoid having it prompt me for that information:
      openssl req -new -newkey rsa:2048 -nodes -out eldon.me.csr -keyout eldon.me.key -subj "/C=US/ST=Georgia/L=Mableton/O=Eldon Carl Blancher III/CN=eldon.me"
      
    5. Copy the content of the CSR into the resulting form. It will look something like this:
      • -----BEGIN CERTIFICATE REQUEST-----
        BLAAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
        OBFUSCATTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTEDDD
        BLAAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
        OBFUSCATTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTEDDD
        BLAAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
        OBFUSCATTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTEDDD
        BLAAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
        OBFUSCATTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTEDDD
        BLAAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
        OBFUSCATTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTEDDD
        BLAAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
        OBFUSCATTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTEDDD
        BLAAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
        OBFUSCATTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTEDDD
        BLAAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
        OBFUSCATTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTEDDD
        BLAAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
        OBFUSCATTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTED==
        -----END CERTIFICATE REQUEST-----

        The actual code has been obfuscated to protect it, I highly doubt that’s a valid CSR now.

    6. Click “Submit.” If the CSR is accepted, the resulting page should provide a link to the new certificate files (the “here” link), as a ZIP archive.
    7. Download and unpack the archive. There are several ZIP archives with in it, one for some possible web servers. The Apache.zip file contained two files:
      • 1_root_bundle_crt, renamed to startcom.crt
      • 2_eldon.me.crt, renamed to eldon.me.crt

        Now that the certificates are generated, I need to add them to my apache2 web server.

      1. My current sites-available/eldon.me apache2 configuration looks like this:
        <VirtualHost *:80>
        DocumentRoot /var/www/eldon.me
        ServerName www.eldon.me
        ServerAlias eldon.me
        ServerAdmin trey@blancher.net
        ErrorLog /var/log/apache2/eldon.me-error.log
        TransferLog /var/log/apache2/eldon.me-access.log
        RedirectPermanent / https://eldon.me/
        </VirtualHost>
        
        <VirtualHost *:443>
        ServerName www.eldon.me
        ServerAlias eldon.me
        ServerAdmin trey@blancher.net
        SSLEngine on
        SSLProtocol all -SSLv2 -SSLv3
        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
        SSLCertificateFile /etc/ssl/certs/eldon.me.pem
        SSLCertificateKeyFile /etc/ssl/private/eldon.me.key
        SSLCertificateChainFile /etc/ssl/certs/startcom_sub.class1.server.ca.pem
        SSLCACertificateFile /etc/ssl/certs/startcom_ca.pem
        DocumentRoot /var/www/eldon.me
        Customlog /var/log/apache2/eldon.me-access.log combined
        ErrorLog /var/log/apache2/eldon.me-error.log
        HostnameLookups On
        </VirtualHost>
        
        <Directory /var/www/eldon.me>
                Options FollowSymLinks            
        #       AllowOverride Limit Options FileInfo
          AllowOverride All
                DirectoryIndex index.php
        </Directory>                                  
        
      2. I changed these three lines:
        SSLCertificateFile /etc/ssl/certs/eldon.me.crt
        SSLCertificateKeyFile /usr/local/apache/conf/eldon.me.key
        SSLCertificateChainFile /usr/local/apache/conf/startcom.crt
        
      3. Reload apache2, and the new SSL certificate is loaded!