Monday, September 7, 2015

Free SSL Certificate for Securing Email and Websites

I have been looking for free SSL certificates for enabling HTTPS on a few web servers. HTTPS has been promoted by many organizations and individuals because it provides privacy and anonymity to eavesdroppers besides other benefits. The performance penalty of running a HTTPS web server than HTTP counterpart appears to be small.

Finally, I found these two free certificate providers,
Since SSL certificates are for authenticating domains and encrypting network traffic, those who are acquiring the certificates must go through a validation process. The Wikipedia article on Public key certificate has an discussion on it. Based on the rigor of the vetting process during the validation, the validation process are categorized as "Domain Validation", "Organization Validation", and "Extended Validation".

The above free certificates only require "Domain Validation", which is probably the reason that the vendors could provide them for free since the "Domain Validation" can be automated via electronic means, i.e., via emails sent to domain registrants listed in the WhoIs database, or via HTML documents uploaded to websites to be secured.

Modern web browsers typically turn the address bar green if the certificate of a visited website passed Extended Validation.

StartSSL describes the free certificates well on their site as follows,

Because the checks are performed mostly by electronic means, they require only minimal human intervention from our side. The validations are here to make sure, that the subscriber is the owner of the domain name, resp. email account. You may find additional information on this subject in our CA policy.

The StartSSL™ Free certificates are intended for web sites which require protection of privacy and prevent eavesdropping. However information presented within these certificates, except the domain name and email address, are not verified. Should you need higher validated certification, please check out our StartSSL™ Verified (Class 2) certificates.

I tried the WoSign Free Certificates because WoSign provides certificates of 3-year period while StartSSL only provides 1-year period. As lazy as I am, a 3-year period certificate does save me a few key strokes to renew and install the certificates on the websites.

The process is simple.
  1. Sign up an account on the WoSign's Free SSL Certificate web page.
  2. Go back the WoSign's web page with the account information
  3. Request certificates, for which, I chose to generate a Certificate Signing Request (CSR) myself. In my case, I use OpenSSL as follows,
    openssl req -new -newkey rsa:2048 -nodes -keyout mywebsite.key -out mywebsite.csr

    Then, copy and paste the content of the CSR to the WoSign's page in which the certificate is being requested.

    Note that the key length must be 2048-bit long. Save mywebsite.key for a late use (in step 5).

  4. Validate the website owner ship by uploading a HTML document provided by WoSign to the website under the website's web root directory
  5. Upon completing the validation install the certificate. I am running an Apache web server. It requires me to uncomment or update these three lines in the configuration file (that is, in my case, /etc/httpd/conf.d/ssl.conf)
    SSLCertificateFile     /etc/pki/tls/certs/2_mywebsite.crt
    SSLCertificateKeyFile  /etc/pki/tls/private/mywebsite.key
    SSLCACertificateFile   /etc/pki/tls/certs/1_root_bundle.crt

    Note that in the above 2_mywebsite.crt and 1_root_bundle.crt are from WoSign and mywebsite.key is the secrete key generated in step 3.
  6. Restart the Apache web server, in my case,
    systemctl restart httpd.service

  7. Final step is to test the website is up and the certificate is installed properly. To verify that the website is up, grab a computer and point a web browser to the website's URL using the HTTPS protocol. To verify the certificate is installed propertly, simply click on the "lock" icon next to the website address in the address bar of the web browser. The browser will show the certificate information.

If you have spotted and tested free SSL certificates from other vendors, please share with me via commenting on this post.

No comments:

Post a Comment