Page History

...

SSLShopper provides a great overview of the different types of SSL certificates available with various pros and cons. If you are still unsure, try using the SSL Shopper Wizard to guide you to the right type of certificate with a list of possible CAs.

Select CA

Specifically for Ubuntu, we perform the additional pre-check to ensure that the candidate CA's public certificates are part of the Ubuntu Certificate Repository.

Sample Selection

In this example, after running we chose from the SSL Shopper Wizard the first CA of interest is StartCom which has a "free as in beer" SSL certificate package called StartSSL Free.

Check CA Keys Against OS Certificate Repository

This is not a requirements but will make future maintenance easier if the CA Keys are managed and updated by the Operating System. If you do import the these certs yourself manually, they will not be managed by Ubuntu and will eventually expire where as if the OS manages the certs, the OS will renew them.

To determine if StartCom is part of the Ubuntu Certificate Repository,

cd /etc/ssl/certs
ls | grep -i start # perform case insensitive search for the keyword "start"

The result,

StartCom_Certification_Authority.pem
StartCom_Ltd..pem
StartSSL_Sub_Class1_CA.pem

Most likely StartCom_Certification_Authority.pem is the highest level root CA certificate and the other two certificates are chain certificates.

Because naming convention and the number of certificates required differ from CA to CA you must do some reading and searching on the CA's website.

The key things to be searching for are,

1. Download of the root CA certificate
2. Determination if any chain certificates are required and where to download them

In this case I found the answers at StartCom How to Install Apache Server webpage which also indicates by their sample Apache configuration that,

• ca.pem is the root CA certificate
• sub.class1.server.ca.pem is the chain certificate

The next step is match up the certificates from StartCom against the Ubuntu Certificate Repository.

cd ~
wget http://www.startssl.com/certs/ca.pem
diff ca.pem /etc/ssl/certs/StartCom_Certification_Authority.pem

The diff command did not return any differences which means that the files match exactly. As such, StartCom_Certification_Authority.pem may be used.

Next continue on to see if the chain certificate already exists in the Ubuntu Certificate Repository.

wget http://www.startssl.com/certs/sub.class1.server.ca.pem
diff sub.class1.server.ca.pem /etc/ssl/certs/StartCom_Ltd..pem
2,35c2,29
< MIIGNDCCBBygAwIBAgIBGDANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW
< MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg

Returned differences.

Given there are no matches we need to manually install the Chain Certificate.

• I need to secure one domain name or network name
• I just need it to be secure with no warning messages
• Price range per year $0-$100

A simple SSL certificate is available for free from the CA StartCom in a SSL certificate package called StartSSL Free.

SSL Process

Generate Server Private Key

...

The CA will use your public key in the CSR to sign and return back your server certificate.

Download Signed Server Certificate

...

The text file should be saved with the domain name and the crt extension and is your public key signed by that CA. In this example, it will be earth.com_server.crt.

Download Chain Certificate

Almost all CAs require the server install a chain certificate.

You may download the chain certificate from your CA's website (you may need to search for it) or more conveniently download from SSLShopper's list of Chain Certificates and respective CA Installation Instructions.

Store Certificates

In Ubuntu, the default location for SSL certificates are,

...