Managing SSL Certificates Signed by a Certificate Authority

Introduction link

You may need SSL certificates for your company or for personal needs on your website. The drawback of self-generated and self-signed certificates is that the first time you visit your site, you’ll get a warning message.

To avoid this warning and to have a nice little padlock on your browser indicating that you’re protected, you typically need to pay a certification authority a lot of money to get a valid SSL certificate.

However, there are kind companies that offer free or inexpensive certificates for your domain name that are properly signed :-). We’ll look at how to do this with StartCom.

Certificate Generation link

Before you start, create your account and go to the private key step on StartCom.

Here, I’ll present several servers:

1. Lighttpd: Generating a class 1 key¹
2. Nginx: Generating a wildcard key in class 2²

Feel free to adapt to your configuration if you need to switch these.

Lighttpd link

We’ll see here how to set up certificates with Lighttpd. First, let’s create the essentials:

1
2
3

cd /etc/lighttpd
mkdir ssl
cd ssl

Next, we’ll generate the RSA private key and secure it:

1
2

openssl genrsa -out server.key 4096
chmod 400 server.key

Copy the content of this key to the website so it can generate the rest. Then we’ll create the CSR:

1

openssl req -new -nodes -key server.key -out server.csr

For the common name part, enter your default site (ex: www.deimos.fr).

Then download the StartCom certificates:

1
2
3

wget http://www.startssl.com/certs/ca.pem
wget http://www.startssl.com/certs/sub.class1.server.ca.crt
wget http://www.startssl.com/certs/sub.class1.server.ca.pem

Nginx link

We’ll see here how to set up certificates with Nginx. First, let’s create the essentials:

1
2
3

cd /etc/nginx
mkdir ssl
cd ssl

Next, we’ll generate the RSA private key and secure it:

1
2

openssl genrsa -out server.key 4096
chmod 400 server.key

Copy the content of this key to the website so it can generate the rest. Then we’ll create the CSR:

1

openssl req -new -nodes -key server.key -out server.csr

For the common name part, enter your default site (ex: www.deimos.fr).

Then download the StartCom certificates:

1
2
3

wget http://www.startssl.com/certs/ca.pem
wget http://www.startssl.com/certs/sub.class2.server.ca.crt
wget http://www.startssl.com/certs/sub.class2.server.ca.pem

Certificate Signing link

Now we’ll generate a certificate on the StartSSL website. To begin, create your domain with the Validation Wizard:

Choose Domain Name Validation:

Then create the domain you want:

Finish creating the domain and click on Certificates Wizard:

Then select “Web Server SSL/TLS Certificate” as that’s what we need:

Skip this part since we’ve generated our own certificate:

And paste the contents of the server.csr file into the text area:

Complete the process, then create a server.crt file with the SSL certificate content that will be provided.

Configuration link

Lighttpd link

Next, we’ll create a PEM certificate from those we’ve generated along with a CRT file:

1
2

cat server.key server.crt > server.pem
cat ca.pem sub.class1.server.ca.pem > ca-certs.crt

Then we’ll configure our Lighttpd server to use our new keys (/etc/lighttpd/conf-enabled/10-ssl.conf):

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

## lighttpd support for SSLv2 and SSLv3
## 
## Documentation: /usr/share/doc/lighttpd-doc/ssl.txt
##  http://www.lighttpd.net/documentation/ssl.html 
 
#### SSL engine
$SERVER["socket"] == "0.0.0.0:443" {
                  ssl.engine                  = "enable"
                  ssl.pemfile                 = "/etc/lighttpd/ssl/server.pem"
                  ssl.ca-file                 = "/etc/lighttpd/ssl/ca-certs.crt"
}

Don’t forget to restart your Lighttpd server for the parameters to take effect :-)

Nginx link

For Nginx, it’s a bit different from Lighttpd. We’ll create the unified certificate like this:

1

cat ssl.crt sub.class2.server.ca.pem ca.pem > /etc/nginx/ssl/server-unified.crt

Then configure Nginx (/etc/nginx/sites-enabled/www.deimos.fr):

1
2
3
4
5

[...]
ssl on;
ssl_certificate /etc/nginx/ssl/server-unified.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
[...]

Then restart Nginx for the certificates to work.

Resources link