Apache - Free Server Certificate

A free server certificate using the service from http://www.startssl.com/ is a better choice than a self-signed certificate. Please note that The Uniform Server developers have no relation or affiliation with this site. The material is included here only to provide a better alternative to a self-signed certificate. Other choices likely are available.

StartSSL (StartCom) is a public certification authority providing digital certificates for free! They have their root certificate in all major browsers, which means that certificates issued by StartSSL are trusted by default. Major browsers include Firefox, Internet Explorer, Gogole Chrome, Safari and Opera. The term free means just that, no hidden catches or trials, so The Uniform Server support now includes support for StartCom.

Obtaining a free server certificate requires a number of steps. First you need to have a registered domain name, then you create a certificate-signing request and obtain a personal ID certificate by registering with StartCom. With this in place, you can login to StartCom and have your certificate signed. Finally you install this certificate on your server. This page covers each step in more detail.

Register a domain name

Register a domain name with a registrar of your choice. The information you supply pertains to the domain you are registering. Of importance for obtaining a free certificate is the contact e-mail address you supply. I am referring to the address where a registrar can contact you. This e-mail address will be used by StartCom to verify who you are (domain name). Alternatively, if your domain name is active (site has a mail-server) the site email address can be used for verification.

Note: Your registrar contact e-mail address allows you to obtain a signed certificate before making your site live. This allows you to test your site locally with a signed certificate and confirm that Apache’s SSL Vhost server verification chain works.

Create an account at StartSSL

Creating an account at StartSSL can be done in advance. You are asked for certain details that identify you. This information is used for creating a personal identification (ID) certificate that is installed into your browser. One purpose of this certificate is to automatically log you into your StartSSL account.

1. Go to https://www.startssl.com/?app=12/ website
2. Click Sign up
3. Fill in all fields in the sign up form and click Continue
4. An authentication code will be e-mailed to you.
5. Copy and paste it into the Complete Registration form. Click Continue
6. Choose the level of security required and click Continue
7. Allow the pop up to install security certificate into your browser
8. Click Install
9. If prompted by your firewall, allow outside access. (Certificate authority)
10. Click Finish

Note: Backup your client certificates! Check this link and follow the instructions appropriate for your browser.

Creating a certificate signing request (CSR)

Generating a certificate-signing request is similar to generating a self-signed certificate. The only difference is to change Hostname from localhost to your registered domain name. For a free StartCom certificate, this field is the only one that is part of the certificate. If you change any of the other fields, the class of the certificate changes as well as its cost, and will require further validation. These instructions cover only the free certificate.

Apache > Apache SSL > Server Certificate and Key generator This opens the Server Certificate and Key generator menu shown at right A) Change Common Name (CN) to your registered domain name; for example, fred.com D) Click Run Generate. After a short time, a confirmation pop-up is displayed. This generates your new server key (server.key) and CSR (server.csr) It's important to save these files to a safe and secure location (example: UniServer\certs) as follows: Save UniServerZ\core\openssl\server.csr to folder UniServerZ\certs Save UniServerZ\core\apache2\server_certs\server.key to folder UniServerZ\certs Create a new text document named server.crt in folder UniServerZ\certs

Note 1: The empty file server.crt is where you will copy your signed certificate. Folder UniServerZ\certs is used only to store your original certificates. It keeps them as a separate group.

Note 2: Folder UniServerZ\certs is just an example. Ideally you would save its final content to a pen drive, writable CD or another PC for safekeeping.

Sign certificate at StartSSL

Login to StartSSL

• Go to https://www.startssl.com/?app=12/ website
• Click Authenticate
• Click Control Panel

Validation Wizard

1. Click Validations Wizard tab (top menu)
2. From drop-down menu choose Domain Name Validation . -- Click continue
3. Enter the URL of your domain name to be validated
4. Select an e-mail from the list (select last entry). Note: The last entry is your registrar contact e-mail address. -- Click continue button.
5. An authentication code is sent to the selected e-mail address.
6. Copy this authentication code and paste it into Verification Code: Box. -- Click continue button.
7. Click Finish

Certificates Wizard

1. Now click the Certificates Wizard tab
2. From the Certificate Target dropdown menu select Webserver SSL/TLS Certificate -- Click continue button.
3. Generate Private Key form displayed. Click Skip - We are using our own key.
4. Submit Certificate Request (CSR) form opens
   Open file UniServerZ\certs\server.csr
   Copy and past its content into the box displayed.
   Click continue button.
5. Message displayed Certificate Request Received -- Click continue button.
6. Select your domain name (from dropdown list) and use www as the subdomain.
   Your signed certificate is generated and displayed.
   Copy the displayed content and save it to file
   UniServerZ\certs\server.crt

Download StartCom CA Certificates - Information

Note: This section is for information only. The required certificates are preinstalled. A signed certificate requires a verification chain. To implement this on Apache, two additional certificates are required. Download these from StartSSL

• At StartSSL, log into your control panel.
• Download ca.pem Save to folder UniServer\certs.
• Download sub.class1.server.ca.pem Save to folder UniServer\certs.

Note: If you have a higher validated server certificate you need to use the class2 or class3 intermediate CA certificate.

Install certificates

Copy the two files server.key and server.crt to Apache folder server_certs

• Copy UniServerZ\certs\server.key to folder UniServerZ\core\apache2\server_certs
• Copy UniServerZ\certs\server.crt to folder UniServerZ\core\apache2\server_certs

Edit SSL Configuration file

Two lines require enabling in Apache’s SSL configuration file as follows:

Edit file: UniServerZ\core\apache2\conf\extra\ssl.conf

Locate these two lines:

#SSLCertificateChainFile ${US_ROOTF}/core/apache2/server_certs/sub.class1.server.ca.pem
#SSLCACertificateFile    ${US_ROOTF}/core/apache2/server_certs/ca.pem

Remove the # to enable as shown below:

#SSLCertificateChainFile ${US_ROOTF}/core/apache2/server_certs/sub.class1.server.ca.pem
#SSLCACertificateFile    ${US_ROOTF}/core/apache2/server_certs/ca.pem

Note: The environoment variable ${US_ROOTF} is automaticaly set to the Uniform Server Zero top-level folder for example C:/UniServerZ

Local Test

Before going live with your secure server you can test it locally. To do this your domain name (example fred.com) must resolve to an IP address.

Refer to this page Server Name for details use either option 1 or option 2

Option 1: Is assumed. Entry automatically made in Uniform Server's PAC file

• Start the Apache server
• Click View ssl button
• The secure test page should be displayed with no alerts.

Note: Replace fred.com with the hostname you used when creating your CSR. Be sure to remove this line when you are ready to go live.

Where to next

Apache SSL Introduction and overview.

Self-signed Self-signed test certificate details.