Blog posts for October 2011

Free SSL certificates


For some time I've been using CAcert SSL certificates for personal email and personal web server use.  These x.509 certificates enable SSL, but are not recognized by Internet Explorer out of the box.  To avoid the "certificate not trusted" dialog box, one has to import the CAcert root CA certificate(s).


In commercial circumstances, where robust server identity and validation is indicated I have often recommended using Thawte to save some money relative to Verisign.


Another lower-cost alternative is Comodo.  Comodo also provides a 90 day free trial certificate useful for testing before purchasing a proper, longer-lasting certificate.


Now for something completely different.  We now have the choice of using a completely free SSL certificate provider named StartCom/StartSSL.  This  organization is based in Israel and provides free SSL certificates that are recognized by recent versions of Internet Explorer and Firefox.

Apache SSL certificate installation

The commands below assume a Gentoo Linux distribution with the /etc/apache2/vhosts.d/00_default_ssl_vhost.conf file's configuration directives for SSLCertificateKeyFile and SSLCertificateFile pointing to /etc/ssl/apache2/server.key and /etc/ssl/apache2/server.crt, respectively.

First, only if a pass phrase is desired when starting Apache, you should generate a 2048 bit RSA server key with the following command:

$ cd /etc/ssl/apache2/
$ openssl genrsa -des3 -out server.key 2048

The -des3 signifies to encrypt the private (server) key and this causes Apache to ask for the appropriate passphrase to decrypt the private each time apache starts.

If you don't want Apache to prompt you for a pass phrase every time Apache starts, remove the "-des3" option as shown in the next example.

$ cd /etc/ssl/apache2
$ openssl genrsa -out server.key 2048

The second step is to create a PEM key file with the pass phrase removed.

$ cd /etc/ssl/apache2
$ openssl rsa -in server.key -out server.pem

The third step is uses the PEM key file to generate a certificate signing request file.

$ cd /etc/ssl/apache2
$ openssl req -new -key server.pem -out server.csr

The fourth step is to retrieve the actual certificate text (it is encoded in MIME64 encoded ASCII text) you get from your x.509 certificate provider.  If you retrieve the certificate using your web browser you might paste the certificate text into your server.crt file, including the BEGIN and END lines.  For example:

$ cd /etc/ssl/apache2
$ cat > server.crt

Windows XP or Windows XP with SP1

StartCom StartSSL certificates will not work out of the box with older versions of IE, like Windows XP or Windows XP with SP1.  These older IE versions shipped before StartCom was added to Microsoft's list of trusted authorities.  Simply update using Windows Update and this will recognize StartCom as a valid, trusted root CA authority.

Windows XP with SP2 or SP3

Windows XP is getting long in the tooth but many still use it.  To get Internet Explorer's approved root CA list up to date, one has to install a Microsoft-provided patch set known as Service Pack 2 (SP2).

Windows XP does not fully support the automatic root update mechanism: when a root certificate is already present on a user’s system, it will not be updated even if the copy of the root certificate available on Microsoft Update has changed. Windows XP also does not support the weekly pre-fetching of certificate properties from Microsoft Update feature, and the only way to install new root certificate properties on Windows XP is by installing the root update package.

It is recommended that users running Windows XP download and install the root update package to update their root certificates. Root certificates are delivered for Windows XP via Microsoft Update as an optional root update package – an executable that contains every root certificate that is distributed by the Windows Root Certificate Program. Windows XP users can opt to download the package each time it is updated and presented by Microsoft Update, or they can opt to download the root update packages automatically when they are updated. The optional root update package is updated approximately 3-4 times per year, or every quarter.

For additional technical information about how Windows updates root certificates in Windows XP SP2 and SP3, visit this web site.

Created by Administrator on 07/09/2013
This website content is not licensed to you. All rights reserved.
XWiki Enterprise 9.11.1 - Documentation