Step 1 of 3: Creating Your Personal Credentials for StartCom CA

Unlike most web sites where you login using username and password, StartCom wants you to use client certificate as your proof of identity. They will issue one for you, free of charge, but getting it is a multistep process described here.

StartCom certificate issuance functionality does not support Google Chrome browser, but does support IE, so to start please launch Internet Explorer and go to https://www.startssl.com/ and click "Control Panel" button:



And on the next screen press "Express Lane" button:



Here's the screen where you will need to enter, truthfully, information for your personal digital certificate:


After you filled out the form above, press "Continue" button and respond to the terms acceptance prompt screen. StartCom will need to ensure your truly own the email address you have provided by emailing your confirmation code, which you will need to find in your email (quite possibly in the junk bin) and enter it in on the next screen:


On the screen above, please paste the confirmation code into the textbox and hit "Continue" button.

What happens next is a bit odd: “Additional verification required” screen may flash, and after a few seconds the browser will go to StartCom home page. However, at this point StartCom will also send you a 24hr, time-limited link by email (which also may end up in the junk folder) which should be followed in order to complete the process. It's important not to miss this message and use the link within 24 hour window:


Close the browser and click the link in the email, or paste the link into browser's address bar and hit Enter to continue. It is possible that StartCom will again take you to the "Complete Registration" screen, where you will need to enter the verification code from the latest StartCom email message:



Next screen is where StartCom will work with your browser to create a personal digital certificate for you:


On the screen above, please select medium or high grade, and click "Continue" button. There will be a confirmation screen, after which your will reach "Install Certificate" screen:


On the screen above please press "Install" button, and your personal certificate is installed:


Since the process was kind of long and somewhat painful, it's a good idea to back up you certificate by exporting it as a password-protected file using MMC.exe console for Current User Certificates, or by following these personal cert backup instructions.

Step 3 of 3: Getting Your Certificate Signed and Merged with Pending Certificate Request

Once you have created your personal digital id for StartSSL site and proved to StartCom your ownership rights of an Internet domain, you can continue on creating SSL server certificate for the domain.

To start, you will need to use UWS Explorer's Certificate Manager, click "Create New Certificate" toolbar item and then start the process of creating real certificate:


The next step will bring up the form where certificate attributes are specified. Please note that certificate's encryption strength has nothing to do with which Certificate Authority will sign your certificate, and has to do with the strength of the encryption private key, which is generated locally and never leave the computer (ideally). Until relatively recently, 1024 bit key were common, but now many CAs, including StartCom, will not sign certificates that have a key smaller than 2048 bit. Making key too large will make your site noticeably slower. UWS lets you choose one of the several key sizes, from 1024 to 8192, default set to 2048.



The most important certificate attribute from Certificate's Authority (StartCom) point of view is domain name. StartCom already knows at this point about a domain you own, so when you create a new certificate, please be sure to enter domain name matching the name you had verified by StartCom. You should enter all other certificate attributes, but StartCom may ignore or modify them since StartCom only verified that you (owner of a given email address) own the domain name. Other CAs may have different policies, but it only makes sense that CA will put in only attributes it could verify.

After you click OK on the screen above and create the key & unsigned certificate combo, you will get a window with gibberish text representing certificate signing request (CSR):


This text above needs to be copied & pasted into StartSSL web site on one of the subsequent steps, so you may click the button to copy the CSR on clipboard, or save it as a text file.

Now you are ready to go back to StartSSL site's Control Panel, authenticate yourself and go to the "Certificates Wizard" tab:


On the screen above, please select “Web Server SSL/TLS Certificate” from the drop-down list and click "Continue" button. On the next screen you will be prompted to create private key, or to skip the step. You will need to skip this step because the private key was already generated locally on your computer. Please note that it's always a good idea to generate your private key locally and never let others, including CAs, to create it for you - just to ensure that third party will never-ever have your private key.


So please hit "Skip" button on the screen above, and you will end up on the "Submit Certificate Request" scree, where you will need to paste that gibberish CSR text you have created using UWS Certificate Manager:


Click "Continue" on the screen above, and if everything went well you should get "Certificate Request Received" screen, where you can click "Continue" to get to the domain selection screen. Next few screens will show how to add a subdomain to the domain. Having at least on subdomain is a StartSSL requirement. We'll add "www." subdomain.


On the screen above please select the domain for which you are getting a certificate, and click "Continute" to get to the sub-domain form. Please enter "www" and hit "Continue".


Hit "Continue" on this confirmation screen:


You will be greeted with a vague "additional check required" screen. This is a dead end until you get a certificate readiness email message.


Soon you will receive "certificate ready" email message.


This means you could go back to the StartSSL control panel to get the certificate.


Once you went through the now-familiar authentication process, please go to the "Toolbox" are and lick "Retrieve Certificate":


Now select your new certificate from the certificate list and hit "Continue":


Finally, select the text in the "Certificate" text area and copy it to clipboard.


To finish certificate creation, merge the text on the clipboard into a certificate.

Click OK to have your cert ready to go.

If in the beginning you chose to make you certificate's key exportable, UWS Explorer may prompt you to back up the new certificate as a file, which is a good practice. If you choose to do it, once cert is saved as a file, UWS will also offer to change certificate's key to non-exportable, which is also a good thing to do if you made a backup copy of the certificate.