We get a free SSL certificate

Hi, Habr!

About StartSSL I learned from the notorious lissyara, in connection with which he is very grateful.

For a start, tell you what kind of beast it is. As you know, SSL certificates are issued by certification authorities whose root certificates are stored in the browser \ OS certificate store (or other software using SSL). The price of most certificates goes off the hook, and you have to pay for each certificate. But StartSSL has a very interesting approach - they have free certificates themselves, you only pay to verify your identity.
')
It also can not but rejoice at the presence of Russian-language support.

The certificate can be obtained by checking only the email address and domain ownership, but in this case you can not create a wildcard certificate, use the certificate for financial transactions and e-commerce. The certificate is issued for a period of one year. Removing these restrictions will cost you $ 59.90 and implies your identification (you can also issue certificates for 2 years). For a total of $ 59.90, you can create ∞ the number of WildCard certificates for a period of 3 years (350 days, during which you can reissue a certificate + 2 years for which you can issue a certificate).

check in

By choosing the Russian language on the site you get a great English-Russian interface. Registration is here .



We press Sing-up and go to the registration, where we fill out a small form. All fields are required, you need to enter real data, can verify your identity and revoke the certificate, block your account. The address must be specified home, not working. It is also desirable that the Latin alphabet be used during registration - this will help to shorten the time in which the account registration will be confirmed.



We are offered to enter the verification code that was sent to the email. We enter. Next, we are offered to choose the key size for your certificate (for authorization on the site) 2048 or 4096.



The certificate has been generated, and we need to confirm its installation in the browser.




This registration is completed. I recommend to keep the certificate on physical media (for example, write to a blank).

Domain Verification

Before obtaining a certificate, we need to confirm ownership of the domain. To do this, go to the section Validations Wizard and select the Domain Name Validation



Enter the domain



Choose an email to which a confirmation email will be sent (postmaster, hostmaster, webmaster or email from whois)



We receive the letter and enter the code from it into the field. All - the domain is confirmed, you can begin to generate a certificate. Within 30 days we can generate a certificate. Next, you will need to repeat the verification procedure.

Certificate Generation

Go to the Certificates Wizard section and select the Web Server SSL / TSL Certificate there.



Next, we have 2 options - either click on Skip and enter a request to generate a certificate, or generate everything in the wizard. Suppose we do not have a certificate request, so we will generate everything in this wizard.

Enter the password for the key (min. 10 characters - max. 32) and the key size (2048 \ 4096).



Get and save the key.



Choose a domain for which we will generate a certificate (the domain must already be confirmed).



We are given the right to include one subdomain in the certificate - let it be the standard www



Got some information about the certificate, click on Continue.



Now we are waiting for confirmation by the employee of the StartSSL certificate. They promise within 3 hours, but in practice everything happens much faster, I had to wait 10 minutes. Previously ordered at night - about the same time confirmed the request.

Getting a certificate

We just need to get a certificate and install it on the server. Go to the Tool Box -> Retrieve Certificate, select the domain and copy the certificate.



About the installation I will not write, the information is on the habr and on StartSSL .

We pass the test (2nd level of verification)

To remove the limitations of a free certificate, you need to pass identification. To do this, select the Personal Identity Validation in the Validations Wizard, go through several steps and offer to download documents

To upload documents you just need to select them in the field. You need to download at least 2 documents confirming your identity (main passport turnaround, driver's license, identity card, social security card, birth certificate, etc., I downloaded the main passport turn and student card). Additional documents may be requested - they have requested a phone bill for me, which contains my address, telephone number and name, as an alternative, you can receive a letter by analog mail to verify the address.

Next you will need to enter your credit card details \ PayPal. Go to the Tool Box -> Add Credit Card | PayPal | Ticket



Everything, on it preparation for verification is finished. You will need to receive a letter of support with further instructions. After verification, you can issue WildCart certificates for 350 days. Next, you will need to be tested again.

Some facts about StartSSL

• On May 25, 2011, StartSSL was attacked by network hackers (in common with hackers), but they failed to get bogus certificates. The private key underlying all operations is stored on a separate computer that is not connected to the Internet.
• In addition to SSL certificates for Web, StartSSL supplies certificates for mail encryption (S / MIME), for encrypting XMPP servers (Jabber), certificates for signing Object code software certificates.
• StartSSL validates the installation of certificates. After installing the certificate (after some time), I received a notification about the absence of an intermediate certificate, and a link to the installation information.
  After installing the intermediate certificate, a corresponding letter arrived.
• StartSSL is supported by a variety of software: Android, Camino, Firefox, Flock, Chrome, Konqueror, IE, Mozilla Software, Netscape, Opera, Safari, SeaMonkey, Iphone, Windows
• Friendly support in Russian
• Comparative table of verification options
• For $ 59.90 you can create ∞ number of WildCard certificates for a period of 3 years (350 days, during which you can reissue a certificate + 2 years for which you can issue a certificate).
• Certificate withdrawal fee - $ 24.90. The 2nd verification class allows you to re-create the certificate (as I understand it, only once). Extended validation certificates are exempt from this collection.