Setup StartSSL Certificates, Part 1 of 4

Walk-through guide for StartSSL Certificates, Part 1 of 4.

Last updated  March 1st, 2014 by Steven Jordan

Takeaway:  StartSSL provides a  phenomenal public service; free SSL certificates!  This article provides detailed instructions for working with StartSSL certificates.  This is the first part in a four-part series on how to use StartSSL certificates.

Additional StartSSL articles: 
1.  Sign-up:  Resister with StartSSL.
2.  Personal Certificates:  Back-up and authenticate to StartSSL with personal certificates.
3.  New Cert:  Generate the StartSSL certificate.
4.  Windows Certificate Management:  Import the StartSSL certificate into Windows.

StartSSL Introduction:

   StartSSL is a public certificate authority (CA) who offers free SSL certificates.  StartSSL certificates are every bit as secure as those provided by VeriSign, GoDaddy, or Thawte.  In addition, StartSSL integrates with nearly every browser and operating system as a trusted root certificate; end-users do not receive identity warnings!

   StartSSL certificates work great and they are free -so what's the catch?

•  StartSSL class 1 certificates are free, but they are only valid for one year.  The certificates must be renewed (for free) each year.
• StartSSL offers limited support.  The StartSSL website is not intuitive and is outright complicated compared to other public CAs (e.g., GoDaddy).
• Certificate revocation (i.e., mistakes) cost $25.  Don't lose your private keys!

   StartSSL class 2 certificates allow wild-card, multiple domain, and code-signing certificates.  Class 2 membership is not free, however it is a bargain at $59 per year.  In addition, class 2 membership provides unlimited certificates (i.e., no revocation fees), and 3 year validation.  The down side?

• The class 2 identity verification is cumbersome.  

   The folks at StartSSL take integrity seriously (no joke).  Be prepared to dig up corporate minutes; letters from your CEO; provide your license; provide proof of personal and corporate addresses; and public notary.  My last mortgage was easier to obtain than my class 2 StartSSL membership.  The renewal process is only slightly easier.  To be fair, I must point out the irony of criticizing a public CA for their strong practice of integrity!

Assumptions:

1. StartSSL authenticates with personal certificates.  The authentication process is different from most other web sites, which authenticates with usernames and passwords.
   
   
2. Mozilla FireFox is the preferred web browser for StartSSL management.  Examples provided were created with FireFox. 

Registration Process:

   Register with StartSSL to receive your free personal certificate. The following steps explain how to register and authenticate.

1.  Sign-up. 

 StartSSL certificates are available to anyone with a valid email address.  Sign-up for a free StartSSL account at:  https://startssl.com/?app=12.    

Enrollment Details.  

Provide your name, home and email address, and click submit.  StartSSL sends a verification code to the registered email account.  Enter the verification code and submit.

3.  Generate Private Key.  

The next step to the registration process generates a personal SSL certificate.  All SSL certificates consist of a private key and a public key.  The registration process creates a private key after the email address is verified.  Choose High Grade and click Continue.

4.  Install Certificate.  Click on install:

5.  Finish.  The personal certificate is automatically installed into the user certificate store. 

The personal SSL certificate is ready to authenticate user sessions on http://www.startssl.com.  It is a good idea to backup (i.e., export) the personal certificate at this point.

Next Up:  Part-two covers the StartSSL personal certificate authentication and management process.