Setup Web Server with free StartSSL certificate

Sunday, March 10, 2013

You can easily setup a Ubuntu Web Server with SSL (not self-signed) using free SSL certificate. This post will show you step wise process to implement it.

The setup starts assuming you have installed LAMP or apache

So Lets Start

Enabling mod_ssl
To enable apache's SSL module, run...
a2enmod ssl

... and restart Apache:
/etc/init.d/apache2 restart

Apache should now be listening on port 443 (HTTPS):
netstat -tap | grep https

root@server1:~# netstat -tap | grep https
tcp6       0      0 [::]:https              [::]:*                  LISTEN      1238/apache2

Setting Up The Vhost 

I will now create the vhost with the document root /var/www/

First I create that directory:
mkdir /var/www/

Apache comes with a default SSL vhost configuration in the file /etc/apache2/sites-available/default-ssl.

We use that file as a template for the vhost
cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/

... and open /etc/apache2/sites-available/
vi /etc/apache2/sites-available/

Make sure you use the correct IP address in the <virtualhost> line (* in this example); Also fill in the correct ServerAdmin email address and add the ServerName line. Adjust the paths in the DocumentRoot line and in the <directory> directives

As you see, this vhost uses the default self-signed snakeoil certificate that comes with Ubuntu/Debian:
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

Now disable the default SSL vhost (if it is enabled), enable the vhost and reload apache:
a2dissite default-ssl
/etc/init.d/apache2 reload

Now open a browser and go to your new SSL vhost ( in this case). Because we are using Debian's/Ubuntu's default self-signed certificates, we should get a warning that the connection is untrusted

Setting it all up I run Debian stable on my servers. At the time of writing this is Debian Lenny with Apache 2.2.9. Substitute for your domain name where applicable.

Authenticating with StartSSL

 Note: As of the time of writing, Chrome has some issues with SSL client certificates which will cause you problems. I recommend using Safari (or Firefox if that's your thing).If this is your first time using StartSSL, you'll need to create an account. Click on Control Panel and then on Sign-up. Fill out all the details and you'll get an SSL client certificate which you use to authenticate with the website.

The client certificate expires after a year so you'll have to create a new one when it comes time to renew your server certificate. StartSSL will send you an email when both are coming up for renewal. To create a new client certificate, first reverify your email address under Validations Wizard: Email Address Validation and then create a new certificate under Certificates Wizard

Requesting a server certificate Validations Wizard: Domain Name Validation Certificates Wizard: Web Server SSL/TLS Certificate
openssl req -new -newkey rsa:4096 -days 365 -nodes -keyout -out
Pick the CSR option when prompted and upload the contents of You will also be prompted for a hostname underneath your domain. I run a no-www shop so I used my server's hostname ( If you want to run, enter www here.

As of this point the .csr file is no longer required and can be removed. Alternatively you could generate a CSR with a longer expiry and reuse it next year.

And now we wait for certificate to be issued. This usually happens within the half hour. When you receive the certificate signing confirmation email, download the following certificates:
Toolbox > Retrieve Certificate: You will see your newly created certificate. Save it as
Toolbox > StartCom CA Certificates: Download "StartCom Root CA (PEM encoded)" (ca.pem)
Toolbox > StartCom CA Certificates: Download "Class 1 Intermediate Server CA" (

Configuring server certificate
Copy the .crt, .key and .pem files to /etc/apache2/ssl on your server.
sudo mkdir /etc/apache2/ssl
sudo cp ca.pem /etc/apache2/ssl
sudo cp /etc/apache2/ssl
sudo cp /etc/apache2/ssl

Configuring Apache Run the following commands as root:
cd /etc/apache2/ssl
mv ca.pem
cat > startssl.chain.class1.server.crt
cat{key,crt} startssl.chain.class1.server.crt >
ln -sf apache.pem
chown root:ssl *.crt *.key *.pem
chmod 640 *.key *.pem

Edit /etc/apache2/sites-available/ssl and add the following within the <virtualhost> block:
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/
SSLCertificateKeyFile /etc/apache2/ssl/
SSLCertificateChainFile /etc/apache2/ssl/startssl.chain.class1.server.crt

At this point you'll want to configure the rest of Apache for SSL if you haven't already.

Check that your Apache config parses as valid:
apache2ctl -t

And then restart Apache with the new config:
/etc/init.d/apache2 reload

Verifying everything worked Run the following after restarting Apache to check the certificate chain:
echo HEAD / | openssl s_client -connect localhost:443 -quiet > /dev/null

You should see something like:
depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
That's it you successfully configured an SSL Web Server!!

No comments: