Last week I showed you how you don’t want “bank grade” security in your SSL.
I used the Qualys SSL Labs test to rate the bank’s SSL security. One of the first steps you need to take to get a good rating on the SSL Labs test, is to get a trusted certificate.
Without a trusted certificate you are not going to get any higher than a T rating on the SSL Labs test. As you may already know, if you use a self-signed certificate on a public website you will get a warning from the browser that the website is unsafe. The only way of avoiding this is to get a certificate from a trusted Certificate Authority that the browsers recognise. Unfortunately most Certificate Authorities charge a yearly fee for certificate which can cost anywhere from £5 – £500 a year.
I am going to show you how you can get a free SSL certificate that will get you one step closer to an A+ SSL rating. StartSSL is offering free SSL certificates which are valid for 1 year and can be renewed for free.
Go to https://www.startssl.com/?app=12 and pick Express Lane from the options.
On the next screen you will be asked to fill in your personal details. It does state that StartSSL may check these details and will revoke your certificate if they are found to be incorrect.
Once you have filled in these details you will be sent an email with a verification code. Which you will need to enter on the following page.
The next step is to generate a private key for your browser. This is used to authenticate you for producing further certificates on StartSSL. Leave this at the default setting of 2048.
Once the key has been generated you will then be prompted to install the certificate into the browser. Click install and you should see the following. appear:
You are now ready to start the process of creating your SSL certificate. On the next screen you will be asked to fill in the name of the domain you are producing a certificate for.
To check that you are the correct owner of the domain you will be asked to pick an email address from a predefined list to send a verification email to.
Again you will be asked to validate the email address you picked by entering the verification code.
Once validated you will have the option to create your private key and certificate signing request (CSR). If you plan to generate your own private key and CSR then you can click on “please skip this step” and move on to step 11 in my instructions. If you are using IIS I will show you how you can generate these in my next post. Just make sure you pick 4096 as the key size and SHA2 for the secure hash algorithm.
Click continue and an encrypted private key will be generated for you. Copy this and save it to ssl.key as instructed. If you have OpenSSL installed you can decrypt it yourself using the command
openssl rsa -in ssl.key -out ssl.key. If you don’t have OpenSSL installed we can use the toolbox on the StartSSL website to decrypt it later.
Click continue and you will be asked to pick your domain that wish to generate your certificate for. You will probably only have the one domain at this point.
You now need to add a sub domain to use for your certificate, this can just be “www”.
If you didn’t decrypt your private key in step 10 then you can do this by clicking on the Tool Box tab and choosing Decrypt Private Key. You will prompted to copy in your private key and enter your password and it will decrypt your key for you.