StartSSL Free Certificate

From Leo's Notes
Last edited on 1 September 2019, at 06:23.
Deprecated Information!
StartSSL no longer provides free SSL certificates as of January 1st, 2018. Use Let's Encrypt instead.

StartSSL provides free SSL certificates (StartSSL Free) which is a great alternative to self-signed certificates. The only restrictions with StartSSL Free is that:

  1. Valid only up to 1 year
  2. One domain per certificate (no wild cards)
  3. Non commercial use only

The guide below outlines the necessary steps to create and install a certificate from StartSSL.

Getting Started

Sign-up for an account at The registration process will require your name, address, phone number, and email. You will be emailed a verification code to verify your account.

Once you authenticate, you will be asked to install a new client certificate. It's a good idea to back this certificate up as well (along with the private key as a .p12 file).

Before you can sign a certificate, you will need to validate your email address and domain name under the 'Validations Wizard'. Once completed, you may sign a certificate under the 'Certificates Wizard' tab.

Requesting a Server Certificate

Generate a certificate signing request by running:

# cd ~
# mkdir ssl
# openssl genrsa -des3 -out 4096
# openssl req -new -key -out

As part of your key generation process, you may enter any passphrase. (We can create an 'insecure' key without the passphrase later once the certificate is signed) The steps above will create a .key and a .csr file.

Under your StartSSL account:

  1. Click on 'Certificates Wizard', and select 'Web Server SSL/TLS Certificate' as the Certificate Target.
  2. Since we already have a .csr file (made above), we can skip the 'Generate Private Key' step.
  3. Submit your certificate signing request by pasting in the contents of the .csr file.
  4. Select your top level domain, and enter the domain of the certificate that you wish to sign.
  5. Verify your data and proceed to sign the certificate

Once completed, you will be given the signed certificate. You must:

  1. Save the contents to '' (in this case,
  2. Save the intermediate CA certificate (
  3. Save the root CA certificate (

Installing Server Certificate

From the steps above, should have:

  • (your certificate's private key)
  • (your signing request)
  • (signed certificate from StartCom)
  • ca.pem (root CA certificate from StartCom)
  • (intermediate CA certificate from StartCom)

If you are missing your signed certificate, or need access to the intermediate / root CA certificate from StartCom, you can retrieve them at:

  1. Toolbox -> Retrieve Certificate -> select your domain
  2. Toolbox -> StartCom CA Certificates -> StartCom CA Certificates (PEM encoded)
  3. Toolbox -> StartCom CA Certificates -> Class 1 Intermediate Server CA

Certificate Chain

With the five files listed above, you will need to combine the intermediate / root CA certificate into a chain certificate:

# cat ca.pem > startssl.chain.class1.server.crt

You will need to combine your private/certificate and the certificate chain above:

# cat startssl.chain.class1.server.crt >
# mv /etc/pki/tls/cert.pem

Installing Certificates

Copy the following 2 certificate files to /etc/pki/tls/certs (Assuming you're on RedHat based distros. This location may vary):

  1. startssl.chaina.class1.server.crt

Chmod the certificates to 640.

Installing Private Key

Copy the private key to /etc/pki/tls/private


chmod the key to 600.

Enable Apache SSL

Edit your Apache SSL config, ensuring that you have at least the following lines:

# SSLEngine On
# SSLCertificateFile /etc/pki/tls/certs/
# SSLCertificateKeyFile /etc/pki/tls/private/
# SSLCertificateChainFile /etc/pki/tls/certs/startssl.chain.class1.server.crt

Configure your virtual hosts as needed, and reload/restart apache.

Removing Passphrase from Certificate

If you had entered a passphrase as part of the certificate creation process, you may remove it (such that restarting apache won't prompt you for a paassword) by:

# cd /etc/pki/tls/private
# openssl rsa -in -out
# mv steamr.out.key.insecure
# chmod 600 *.key


Verifying SSL Certificates

You may test out whether you have set apache up properly by checking the certificates manually:

# echo HEAD /