Renewing my Free SSL certificate with StartCom
Since my Secure Sockets Layer (SSL) certificate needs are quite modest, I use the free SSL certificates from StartCom. Here are my instructions for renewing it, which is almost identical to the process for creating an SSL certificate with StartCom.
- Go to the main site, and log in with your StartSSL Open Identity certificate. Create one if need be.
- Validate your email address in the resulting dashboard. The validation will be in force for 30 days.
- Validate every domain you wish to renew.
- Generate the certificate for the domain you are renewing.
- Select the StartCom SSL Certificates Wizard.
- Choose Web Server SSL/TLS Certificate, and click Continue.
- Your validated domain should show in the list. Enter the domain you’re generating the keys for into the “Please enter your full hostname here” input field.
- Under “Please submit your Certificate Signing Request (CSR):” select “Generated by Myself”. You can use the form, but generally I remember reading that it’s more secure for you to generate your Certificate Request (CSR) and private key from it yourself, using an offline OpenSSL script invocation. The present a suitable openssl command invocation, to which I added the -subj option to avoid having it prompt me for that information:
openssl req -new -newkey rsa:2048 -nodes -out eldon.me.csr -keyout eldon.me.key -subj "/C=US/ST=Georgia/L=Mableton/O=Eldon Carl Blancher III/CN=eldon.me"
- Copy the content of the CSR into the resulting form. It will look something like this:
-
-----BEGIN CERTIFICATE REQUEST----- BLAAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH OBFUSCATTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTEDDD BLAAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH OBFUSCATTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTEDDD BLAAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH OBFUSCATTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTEDDD BLAAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH OBFUSCATTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTEDDD BLAAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH OBFUSCATTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTEDDD BLAAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH OBFUSCATTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTEDDD BLAAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH OBFUSCATTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTEDDD BLAAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH OBFUSCATTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTEDDD BLAAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH OBFUSCATTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTED== -----END CERTIFICATE REQUEST-----
The actual code has been obfuscated to protect it, I highly doubt that’s a valid CSR now.
-
- Click “Submit.” If the CSR is accepted, the resulting page should provide a link to the new certificate files (the “here” link), as a ZIP archive.
- Download and unpack the archive. There are several ZIP archives with in it, one for some possible web servers. The Apache.zip file contained two files:
- 1_root_bundle_crt, renamed to startcom.crt
- 2_eldon.me.crt, renamed to eldon.me.crt
- My current sites-available/eldon.me apache2 configuration looks like this:
<VirtualHost *:80> DocumentRoot /var/www/eldon.me ServerName www.eldon.me ServerAlias eldon.me ServerAdmin trey@blancher.net ErrorLog /var/log/apache2/eldon.me-error.log TransferLog /var/log/apache2/eldon.me-access.log RedirectPermanent / https://eldon.me/ </VirtualHost> <VirtualHost *:443> ServerName www.eldon.me ServerAlias eldon.me ServerAdmin trey@blancher.net SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM SSLCertificateFile /etc/ssl/certs/eldon.me.pem SSLCertificateKeyFile /etc/ssl/private/eldon.me.key SSLCertificateChainFile /etc/ssl/certs/startcom_sub.class1.server.ca.pem SSLCACertificateFile /etc/ssl/certs/startcom_ca.pem DocumentRoot /var/www/eldon.me Customlog /var/log/apache2/eldon.me-access.log combined ErrorLog /var/log/apache2/eldon.me-error.log HostnameLookups On </VirtualHost> <Directory /var/www/eldon.me> Options FollowSymLinks # AllowOverride Limit Options FileInfo AllowOverride All DirectoryIndex index.php </Directory>
- I changed these three lines:
SSLCertificateFile /etc/ssl/certs/eldon.me.crt SSLCertificateKeyFile /usr/local/apache/conf/eldon.me.key SSLCertificateChainFile /usr/local/apache/conf/startcom.crt
- Reload apache2, and the new SSL certificate is loaded!
Now that the certificates are generated, I need to add them to my apache2 web server.