Welcome Guest! To enable all features please Login or Register.

Notification

Icon
Error

Getting Free Real Server Certificate from StartCom
Ultidev Team
#1 Posted : Sunday, February 19, 2012 6:58:40 PM(UTC)
Ultidev Team

Groups: Administration
Joined: 11/3/2005(UTC)
Posts: 2,253

Thanks: 28 times
Was thanked: 60 time(s) in 59 post(s)
Overview

This series of posts by UltiDev Team is a step-by-step walk-through document describing how to obtain a 100% free, real X.509 digital SSL/server certificate signed by a publicly-trusted Certification Authority (CA) named StartCOM.

Encryption provided by StartCOM-made certificates is no different from cert's by VeriSign or any other CA brand. Which CA signed the certificate has absolutely no effect on certificate's encryption. All CAs can differ in only the following:

  1. Procedures they use to verify certificate owner's identity;
  2. How well they are known to client operating systems, like Windows, iOS and Android;
  3. Price.

Since StartCOM has virtually the same identity verification processes as other CAs, and it is well-known to client OSes, its $0.00 price makes it an attractive choice for users who like free web servers. UltiDev is not affiliated, and is not in any kind of partnership or arrangement with StartCOM. We recommend StartCOM because we think it provides best value.

These posts will guide you though somewhat unorthodox UI steps of StartCOM web site.

Only the final part is about getting an actual certificate signed. The two parts at the top describe steps that need to be done only for the first certificate, or if results of the two steps - your identity verification, and your site ownership verification - have expired and need to be renewed.

To Be Continued.
Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
Ultidev Team
#2 Posted : Tuesday, February 21, 2012 9:40:22 PM(UTC)
Ultidev Team

Groups: Administration
Joined: 11/3/2005(UTC)
Posts: 2,253

Thanks: 28 times
Was thanked: 60 time(s) in 59 post(s)
Step 1 of 3: Creating Your Personal Credentials for StartCom CA

Unlike most web sites where you login using username and password, StartCom wants you to use client certificate as your proof of identity. They will issue one for you, free of charge, but getting it is a multistep process described here.

StartCom certificate issuance functionality does not support Google Chrome browser, but does support IE, so to start please launch Internet Explorer and go to https://www.startssl.com/ and click "Control Panel" button:



And on the next screen press "Express Lane" button:



Here's the screen where you will need to enter, truthfully, information for your personal digital certificate:


After you filled out the form above, press "Continue" button and respond to the terms acceptance prompt screen. StartCom will need to ensure your truly own the email address you have provided by emailing your confirmation code, which you will need to find in your email (quite possibly in the junk bin) and enter it in on the next screen:


On the screen above, please paste the confirmation code into the textbox and hit "Continue" button.

What happens next is a bit odd: “Additional verification required” screen may flash, and after a few seconds the browser will go to StartCom home page. However, at this point StartCom will also send you a 24hr, time-limited link by email (which also may end up in the junk folder) which should be followed in order to complete the process. It's important not to miss this message and use the link within 24 hour window:


Close the browser and click the link in the email, or paste the link into browser's address bar and hit Enter to continue. It is possible that StartCom will again take you to the "Complete Registration" screen, where you will need to enter the verification code from the latest StartCom email message:



Next screen is where StartCom will work with your browser to create a personal digital certificate for you:


On the screen above, please select medium or high grade, and click "Continue" button. There will be a confirmation screen, after which your will reach "Install Certificate" screen:


On the screen above please press "Install" button, and your personal certificate is installed:


Since the process was kind of long and somewhat painful, it's a good idea to back up you certificate by exporting it as a password-protected file using MMC.exe console for Current User Certificates, or by following these personal cert backup instructions.
Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
Ultidev Team
#3 Posted : Tuesday, February 21, 2012 9:42:58 PM(UTC)
Ultidev Team

Groups: Administration
Joined: 11/3/2005(UTC)
Posts: 2,253

Thanks: 28 times
Was thanked: 60 time(s) in 59 post(s)
Step 2 of 3: Proving to StartCOM You're the Rightful Owner of the Domain

Verification of domain ownership is step 2 of 3 in obtaining StartCom web server certificate process. Step 1 (above) was obtaining personal digital identity – email certificate. Personal certificate is good for one year and therefore step 1 needs to be repeated only once a year. This second step - confirming domain ownership - once completed, makes you known to StartCom as an owner of a domain, and your status as a domain owner is good for 30 days with StartCom.

StartCom validates domain ownership by sending an email message with verification link to domain’s registered administrative email address. Therefore, before you begin this step, please check with your domain registrar to ensure your know and have access to the email address assigned to the domain.

Once again, StartCom certificate issuance functionality does not support Google Chrome browser, but does support IE, so please be sure to use Internet Explorer.

Start by navigating to https://www.startssl.com/ and click "Control Panel" button:



On the next scree click "Authenticate" button:



To authenticate yourself, please select personal certificate you have created at the previous step:



Once you have successfully authenticated, you will be taken to the main StartSSL Control panel. To continue, please click "Validation Wizard" tab:



On the Validation Wizard screen, select “Domain Name Validation” item from the drop-down list and hit "Continue":



Enter domain name for which you are planning to obtain SSL certificate. Please note that "www." prefix is not required as modern browsers will trust the certificate regardless whether domain name starts with "www." Hit "Continue" when ready:



On the next screen, please select an email address where StartCom can reach you. The email address should match the one assigned to your domain name in domain registrar's records. Your ability to retrieve messages from an email address associated with the domain name is how CA knows that you truly own the domain name.


After you have pressed "Continue" button on the screen above, StartCom will email you confirmation message to the address you have selected at the previous step. Please find that email message (possible in the Junk bin) and supply the verification code:


If everything went well, you should get the Verification Success message, which means you are ready to get your certificate signed by StartCom.
Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
Ultidev Team
#4 Posted : Tuesday, February 21, 2012 9:43:31 PM(UTC)
Ultidev Team

Groups: Administration
Joined: 11/3/2005(UTC)
Posts: 2,253

Thanks: 28 times
Was thanked: 60 time(s) in 59 post(s)
Step 3 of 3: Getting Your Certificate Signed and Merged with Pending Certificate Request

Once you have created your personal digital id for StartSSL site and proved to StartCom your ownership rights of an Internet domain, you can continue on creating SSL server certificate for the domain.

To start, you will need to use UWS Explorer's Certificate Manager, click "Create New Certificate" toolbar item and then start the process of creating real certificate:


The next step will bring up the form where certificate attributes are specified. Please note that certificate's encryption strength has nothing to do with which Certificate Authority will sign your certificate, and has to do with the strength of the encryption private key, which is generated locally and never leave the computer (ideally). Until relatively recently, 1024 bit key were common, but now many CAs, including StartCom, will not sign certificates that have a key smaller than 2048 bit. Making key too large will make your site noticeably slower. UWS lets you choose one of the several key sizes, from 1024 to 8192, default set to 2048.



The most important certificate attribute from Certificate's Authority (StartCom) point of view is domain name. StartCom already knows at this point about a domain you own, so when you create a new certificate, please be sure to enter domain name matching the name you had verified by StartCom. You should enter all other certificate attributes, but StartCom may ignore or modify them since StartCom only verified that you (owner of a given email address) own the domain name. Other CAs may have different policies, but it only makes sense that CA will put in only attributes it could verify.

After you click OK on the screen above and create the key & unsigned certificate combo, you will get a window with gibberish text representing certificate signing request (CSR):


This text above needs to be copied & pasted into StartSSL web site on one of the subsequent steps, so you may click the button to copy the CSR on clipboard, or save it as a text file.

Now you are ready to go back to StartSSL site's Control Panel, authenticate yourself and go to the "Certificates Wizard" tab:


On the screen above, please select “Web Server SSL/TLS Certificate” from the drop-down list and click "Continue" button. On the next screen you will be prompted to create private key, or to skip the step. You will need to skip this step because the private key was already generated locally on your computer. Please note that it's always a good idea to generate your private key locally and never let others, including CAs, to create it for you - just to ensure that third party will never-ever have your private key.


So please hit "Skip" button on the screen above, and you will end up on the "Submit Certificate Request" scree, where you will need to paste that gibberish CSR text you have created using UWS Certificate Manager:


Click "Continue" on the screen above, and if everything went well you should get "Certificate Request Received" screen, where you can click "Continue" to get to the domain selection screen. Next few screens will show how to add a subdomain to the domain. Having at least on subdomain is a StartSSL requirement. We'll add "www." subdomain.


On the screen above please select the domain for which you are getting a certificate, and click "Continute" to get to the sub-domain form. Please enter "www" and hit "Continue".


Hit "Continue" on this confirmation screen:


You will be greeted with a vague "additional check required" screen. This is a dead end until you get a certificate readiness email message.


Soon you will receive "certificate ready" email message.


This means you could go back to the StartSSL control panel to get the certificate.


Once you went through the now-familiar authentication process, please go to the "Toolbox" are and lick "Retrieve Certificate":


Now select your new certificate from the certificate list and hit "Continue":


Finally, select the text in the "Certificate" text area and copy it to clipboard.


To finish certificate creation, merge the text on the clipboard into a certificate.

Click OK to have your cert ready to go.

If in the beginning you chose to make you certificate's key exportable, UWS Explorer may prompt you to back up the new certificate as a file, which is a good practice. If you choose to do it, once cert is saved as a file, UWS will also offer to change certificate's key to non-exportable, which is also a good thing to do if you made a backup copy of the certificate.
Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
Rss Feed  Atom Feed
Users browsing this topic
Guest (5)
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You can vote in polls in this forum.