StartSSL tips
(this post is mainly my own notes, so it might not be that useful, but I decided to post it anyway so I’ll find it later)
Renew the client certificate in the browser
- Validate your email
“Validations Wizard” > Email address validation > [email protected]
Check your email for the validation code
Enter it in the question box
- Create certificate for your email
Certificates wizard > Certificate target: S/Mime and authentication
Get a website certificate
- Validate your domain
1.1) “Validations Wizard” > Domain name validation > [domain]
1.2) Email: webmaster@[domain]
1.3) Check your email for the validation code
1.4) Enter it in the question box
-
Go to Certificates wizard > Web server TLS certificate > Skip
-
Let’s sign a CSR in your own environment:
3.1) ONLY IF you don’t have private key generated yet:
$ openssl genrsa -out ssl.key 2048
3.2) Generate CSR (Certificate Signing Request) file.
$ openssl req -new -key ssl.key -batch -out [domain].csr
(The -batch switch only works with StartSSL.com, because all they grab from .csr is the public key)
3.3) Paste the contents of the .csr file to startssl
3.4) Add “www” as the subdomain, or something else if you know what you’re doing
3.5) Continue > Download the signed .crt file. Save it as [domain].crt
3.6) You can safely remove the .csr (signing request) file
3.7) In the settings of your tls-compliant software, point to the ssl.key and [domain].crt files
Optionally, you can bake them all into one file: cat ssl.key [domain].crt > certs.pem
Hat tips
For a few tips and tricks: http://n8.io/setting-up-free-ssl-on-your-node-server/