JRDN
Jason Roysdon dot Net

Free SSL Certificates

March 6th 2010 in Security

If you have your own domain, like roysdon.net, you may at some point want to be able to login to a webpage, receive and send email, transfer files with ftp, and even connect to your own network with a virtual private network, or vpn. You'll want to do this securely so you know no one is watching your login authentication or data that you're transmitting.

Secure Sockets Layer, or SSL, is the means to accomplish this. Then you can log in from a PC and trust that your authentication and data isn't going to be intercepted or modified on the way from the PC to the server.

In order to use SSL you need at least one SSL certificate. While you can create an SSL certificate and self-sign it, the rest of the world will not trust it, and it'll cause error messages about being untrusted.

The important step here to have the rest of the world trust your certificate is to have your SSL certificate signed by a Root Certificate Authority, or Root CA. Root CA's normally charge for this service, but you can get a CA-signed SSL certificate for free.

StartSSL has Class 1 SSL certificates for free. They have a simple to use interface. I've used them for 3 years and highly recommend them.

In order to get a free SSL certificate from StartSSL, they will first verify that you have control of your top-level domain (TLD). This is done using their Verification Wizard option for Domain Name Verification. StartSSL does this by sending an email to one of 4 options: postmaster@yourTLD, hostmaster@yourTLD, webmaster@yourTLD, or the email address listed in your TLD WHOIS information. The email will contact a URL you need to visit which proves you have access to one of these domain-controlling email accounts.

Once you have proven that you have control of the domain, you can then use the Certificates Wizard to generate an SSL certificate and have StartSSL sign it. If you prefer to generate your own SSL certificate, you can skip the generation step and have StartSSL sign your Certificate Signing Request, or CSR.

If things go properly, you will be issued a StartSSL Root CA-signed SSL certificate for your TLD. Now you can take the PEM Certificate, or CRT, and install it with your Apache webserver, Sendmail email server, Dovecot pop3 and imap4 server, OpenVPN server, and even Cisco ASA firewall for web-based SSL VPN services.

I'll be blogging soon about these steps, so check back, and enjoy your free SSL certificate from StartSSL.

Some additional notes:
The reason having a certificate signed by a Root CA works anywhere in the world is because Mozilla's Firefox, Google's Chrome, Microsoft's Internet Explorer, Apple's Safari, and other browsers have a Certificate Store. These are supposed to be vetted and trusted organizations before they're allowed into the CA stores. Not every browser has the same standards for this.

For instance, Opera does not include the StartSSL Class 1 Free certificates. Opera is such a small player in the web browser market, I find it acceptable that their browser will still show warning messages for my websites.

Microsoft's Internet Explorer only added StartSSL as of September, 2009. However, if you automatically download Root Certificate updates for Windows, you'll have this update already. Windows 7 comes out of the box ready for StartSSL-signed certificates.




required



required - won't be displayed


Your Comment:

There are times when keyboard and video monitor access is not always accessible or scalable. Serial port redirection to console is a way to be able to access hosts before booting the OS in Linux.

Previous Entry

I rarely take time to play, but last week I had 30 minutes before I had to leave for an evening class. I'd been working hard all day and needed a quick break of fun before going off to more brain usage.

I decided to check out Flightgear Flight Simulator. It's a bit [...]

Next Entry

Archives
Categories
Links