Skip to content

Instantly share code, notes, and snippets.

Last active October 22, 2023 07:52
Show Gist options
  • Save mgedmin/7124635 to your computer and use it in GitHub Desktop.
Save mgedmin/7124635 to your computer and use it in GitHub Desktop.
Free SSL certificate HOWTO

How to get a free SSL certificate

I'm writing this up from memory, so errors may appear.

This has been updated to use SHA256 certificates.


  1. Go to
  2. Click on 'Control Panel'
  3. Click 'Express Lane'

Identity validation

  1. Fill in the form, submit
  2. Check your email for the validation code, enter it, submit
  3. You'll get a client-side certificate, valid for 1 year, installed in your browser's storage. Think of it as your StartSSL account password. Make a backup.

Domain validation

  1. Enter your domain name
  2. Choose which email address you'll want to validate (postmaster@, hostmaster@, or webmaster@)
  3. Check your email for the validation code, enter it, submit

Certificate generation

  1. Skip the generation step on the startssl website because you'll do it on your server directly
  2. On your Linux machine, create a req.cfg for OpenSSL so you won't have to answer questions repeatedly:
[ req ]
default_bits            = 2048
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
prompt                  = no

[ req_distinguished_name ]
countryName                     = LT
stateOrProvinceName             = .
localityName                    = Vilnius
organizationName                = Vardenis Pavardenis
organizationalUnitName          = .
commonName                      =
emailAddress                    =
  1. openssl req -config req.conf -newkey rsa:2048 -nodes -keyout -sha256 -out
  2. chmod 600 -- this is your private key, keep it secret!
  3. copy the text from into the StartSSL web form, submit
  4. choose the validated domain from step 7 (, choose the desired subdomain
  5. copy the text of the certificate into a file called

Installing the certificate into Apache on Ubuntu/Debian systems

  1. copy/move into /etc/ssl/certs/ on your web server
  2. copy/move into /etc/ssl/private/ on your web server
  3. download
  4. copy/move the downloaded into /etc/ssl/certs/startssl-class1-intermediate-sha2.crt
  5. put this in your Apache config (e.g. inside a <VirtualHost *:443> directive):
    SSLCertificateFile /etc/ssl/certs/
    SSLCertificateKeyFile /etc/ssl/private/
    SSLCertificateChainFile /etc/ssl/certs/startssl-class1-intermediate-sha2.crt
  1. sudo a2enmod ssl
  2. sudo apache2ctl configtest && sudo apache2ctl graceful


  1. openssl s_client -connect -servername -CApath /etc/ssl/certs < /dev/null
  2. visit and test it there too

Certificates for multiple subdomains

  1. Be sure to edit /etc/apache2/ports.conf and make sure it contains NameVirtualHost *:443
  2. Go to, click 'Control Panel', choose the 'Certificate Wizard' tab, ask for a new web server certificate.
  3. Generate a new CSR and a new certificate, install it as per the above (steps 10--25).


  • this requires SNI, which means users stuck with Windows XP or Internet Explorer 6 will not be able to see the right certificates and may get scary security warnings
  • to get a wildcard certificate or a single certificate valid for multiple subdomains you have to perform Class 2 identity verification (i.e. send StartSSL $59.90 and also scans of two different valid photo IDs, e.g. passport and driver's licence)

Certificates for multiple domains

Same as above, except you also need to perform domain validation again.

Copy link

mgedmin commented Oct 23, 2013

Greylisting makes the validation process painful (as in: delays of ~1 hour between form submission and email arrival, even if your postgrey is configured to greylist for only 5 minutes). If you use postgrey you may want to add to your /etc/postgrey/whitelist_clients (untested; actual client IPs resolve to names like,,

Copy link

dcorto commented Feb 26, 2016

In the Step 1 of Certificarte Generation, must be "openssl req -config req.cfg -newkey ...." instead of .conf :)

Copy link

I've been using this service for few years, and this time, I wanted to get a new cert, but sadly I find that the service was bought by WoTrust and sadly its not free anymore.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment