Setup StartSSL Certificates, Part 1 of 4

Walk-through guide for StartSSL Certificates, Part 1 of 4.

Last updated  March 1st, 2014 by Steven Jordan

Takeaway:  StartSSL provides a  phenomenal public service; free SSL certificates!  This article provides detailed instructions for working with StartSSL certificates.  This is the first part in a four-part series on how to use StartSSL certificates.

Additional StartSSL articles: 
1.  Sign-up:  Resister with StartSSL.
2.  Personal Certificates:  Back-up and authenticate to StartSSL with personal certificates.
3.  New Cert:  Generate the StartSSL certificate.
4.  Windows Certificate Management:  Import the StartSSL certificate into Windows.

StartSSL Introduction:

   StartSSL is a public certificate authority (CA) who offers free SSL certificates.  StartSSL certificates are every bit as secure as those provided by VeriSign, GoDaddy, or Thawte.  In addition, StartSSL integrates with nearly every browser and operating system as a trusted root certificate; end-users do not receive identity warnings!

   StartSSL certificates work great and they are free -so what's the catch?
  •  StartSSL class 1 certificates are free, but they are only valid for one year.  The certificates must be renewed (for free) each year.
  • StartSSL offers limited support.  The StartSSL website is not intuitive and is outright complicated compared to other public CAs (e.g., GoDaddy).
  • Certificate revocation (i.e., mistakes) cost $25.  Don't lose your private keys!
   StartSSL class 2 certificates allow wild-card, multiple domain, and code-signing certificates.  Class 2 membership is not free, however it is a bargain at $59 per year.  In addition, class 2 membership provides unlimited certificates (i.e., no revocation fees), and 3 year validation.  The down side?
  • The class 2 identity verification is cumbersome.  
   The folks at StartSSL take integrity seriously (no joke).  Be prepared to dig up corporate minutes; letters from your CEO; provide your license; provide proof of personal and corporate addresses; and public notary.  My last mortgage was easier to obtain than my class 2 StartSSL membership.  The renewal process is only slightly easier.  To be fair, I must point out the irony of criticizing a public CA for their strong practice of integrity!

  1. StartSSL authenticates with personal certificates.  The authentication process is different from most other web sites, which authenticates with usernames and passwords.

  2. Mozilla FireFox is the preferred web browser for StartSSL management.  Examples provided were created with FireFox. 
Registration Process:

   Register with StartSSL to receive your free personal certificate. The following steps explain how to register and authenticate.

1.  Sign-up. 

 StartSSL certificates are available to anyone with a valid email address.  Sign-up for a free StartSSL account at:    

Enrollment Details.  

Provide your name, home and email address, and click submit.  StartSSL sends a verification code to the registered email account.  Enter the verification code and submit.

3.  Generate Private Key.  

The next step to the registration process generates a personal SSL certificate.  All SSL certificates consist of a private key and a public key.  The registration process creates a private key after the email address is verified.  Choose High Grade and click Continue.

4.  Install Certificate.  Click on install:
5.  Finish.  The personal certificate is automatically installed into the user certificate store. 

The personal SSL certificate is ready to authenticate user sessions on  It is a good idea to backup (i.e., export) the personal certificate at this point.

Next Up:  Part-two covers the StartSSL personal certificate authentication and management process.

Outlook freezes or locks up when using a personal certificate...

Last updated  September 13th, 2013 by Steven Jordan


Outlook 2013 has a bug that prevents message delivery after a certificate is installed from the Outlook Trust Center.  After adding the personal the certificate  Outlook freezes and locks after attempting to send.
Microsoft KB 2813237 indicates applications may freeze on Windows 8 when using password protected certificates.  Applying the hotfix resolved all Outlook certificate problems.  Email delivery, message encryption, and digital signature now work as expected. 
However, there was a negative side effect from the hotfix.   Internet Explorer was unable to authenticate using personal certificates. This problem affects both IE and Google Chrome.  The issue was a problem because I was unable to logon or authenticate to StartSSL.  Short-term solution was to use Firefox which maintains certificates independent of Windows.

 Specific Errors:
"Your digital ID name cannot be found by the underlying security system"
"Your Digital Id Name Cannot Be Found By The Underlying Security"

Uninstall all personal certificates via Internet Options. 
          Control Panel > Internet Options > Content > Certificates
After personal certificates are removed proceed to import the certificate from Internet Options.  If the personal certificate is added through Internet Options (do not install via Outlook 2013) Outlook automatically works with the certificate and IE continues to authenticate with the certificate.  I normally install certificates via the certificate management MMC so the approach was new to me.