Free SSL Certificate with StartSSL and Mac OS X

Start SSL by Lewis Miller

Up until now I have been using a self-signed certificate for securing and encrypting areas of my website that I wish to keep away from prying eyes. However, I found that I wasn’t able to stream media that I have contained within these HTTPS’d directories to VLC. I think VLC refuses to connect to sites with a self-signed certificate, but I am not 100% sure on that – it may be the case that I didn’t realise I had to place some certificates somewhere. In any case, this lack of connectivity, and thus streaming, was my main motivation in procuring a real, signed SSL certificate. But of course, I couldn’t deal with paying for it!

I found a free SSL CA in the form of StartSSL (another one I found is CAcert, but I didn’t end up using them). Unfortunately their FAQ and installation steps aren’t that great, which is why I am going to try and break it down nice and easy!

To start using StartSSL is relatively simple. Simply click Sign Up and enter the few details that the site requests. Next, you’ll be brought to a page that requests a verification code that has been sent to the email that you signed up with. After entering it you’re normally told that you have to wait 6 hours or less for your account to be verified. I found it took much less time than that. After your account is verified, and you enter the code, your browser (in my case, Safari) will download a .crt file. This certificate is very important! It is your login to the StartSSL control panel. As soon as it’s downloaded, double-click it. Keychain Access will now prompt you to install the certificate – do it!

Safari 5.1 (or the site) has a bug whereupon the browser will crash when you try to access the control panel even though you have the correct authentication details. In order to overcome this, you must use a different browser. The simplest one to use is Google Chrome as it pulls the certificate data directly from Keychain, but in an email exchange, I was informed by StartSSL that Chrome “has other issues”. The only browser that seems to work perfectly is Firefox. However, the certificate and private key must be imported into Firefox in the form of a .p12 file.

In order to get this .p12 file, go into Keychain Access, select the login keychain, and the All Items category. Now select the certificate you downloaded from the site and installed (its name will be the email address you used) and your private key (probably called “key from”. With only these two items selected, right-click on one of them and select “Export 2 items…”. Make sure the File Format is Personal Information Exchange (.p12). Put in whatever password you like for exportation and then enter your admin password. Now in Firefox go to Preferences –> Advanced –> Encryption –> View Certificates. Make sure you’re on the “Your Certificates” tab. Now click “Import…”. Select the .p12 file you created and enter the password you chose when you exported it. It’s now imported and you can now use Firefox to access the StartSSL control panel!

So, back at the StartSSL control panel, we’re going to create a certificate to add in to something like Lighttpd or Apache. First we have to validate a domain. Click the Validations Wizard tab. Select Domain Name Validation. Now enter your domain name and its TLD. The vast majority of TLDs are selectable, but unfortunately (a free domain name) isn’t (I recreated my domain under another free domain name, .tk, which is selectable). After you click Continue you’ll be asked to select an email address (from a finite list) that you wish a verification code to be sent to. If you don’t have one of these email addresses that they ask for set up, you’ll have to set it up (I use Google Apps which makes it incredibly easy to add extra email address aliases, and domain aliases too).

Now we have a domain ready to go! What we need to do now is prepare a Certificate Signing Request (CSR). I did this with Lighttpd in mind, but this stage should work for Apache too. Drop into your server’s CLI, cd to wherever you want to keep your certs (like /etc/lighttpd/certs) and do sudo openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr and answer the questions – make sure at the Common Name or Domain Name step you type the domain name that you want to secure, like “”. cat the server.csr file and copy exactly what’s inside it.

Back in the StartSSL control panel, go to the Certificates Wizard tab. Select Web Server SSL/TLS Certificate. As we’ve created a CSR, we can click Skip. Now paste in the CSR that you copied. Unless you already did this at the domain name validation step, you’ll have to choose a subdomain in addition to your standard domain name. I recommend www, but you can choose any. For free validations, you can only have one subdomain. Now you should finally have your SSL cert! Woohoo! Copy the SSL cert and paste it into a file on your server. Save As the root and intermediate CA certificates (I wget’d them straight to the server). Now create your final .pem by combining your server’s private key with the SSL certificate you just copy/pasted: sudo cat server.key ssl.cert > domainname.tld.pem

Make sure you do a sudo chmod 0400 on the certs so no-one but root and the webserver can read them. If it doesn’t work when you restart the webserver you probably need to sudo chown webserver-user:webserver-user on the certs too.

Lastly, you need to add the certificates to your webserver’s configuration. For Lighttpd, you’ll want a block similar to this in your .conf:

$SERVER["socket"] == ":443" {
        ssl.engine = "enable"
        ssl.pemfile = "/etc/lighttpd/certs/domainname.tld.pem" = "/etc/lighttpd/certs/sub.class1.server.ca_int.pem"

It’s better to use the intermediate certificate as it adds another level of security.

Now simply restart Lighttpd and enjoy your signed HTTPS! Leave a comment if you encounter any problems.

And relating to this post, you can use your signed SSL certificate with Deluge by simply cat‘ing the domainname.tld.pem file and saving the RSA Private Key section to daemon.key and the Certificate section to daemon.cert. Then put these in the relevant folder (something like ~/.config/deluge/ssl/), chmod them to 0400 again, chown them to Deluge’s user, and then restart the Deluge daemon.

11 thoughts on “Free SSL Certificate with StartSSL and Mac OS X

  1. Pingback: Installing Deluge on Debian Lenny | lewis::blog

  2. Nice article! If I may make a suggestion, for as long Safari still has an issue, why not signing up at StartSSL right away with Firefox and avoid the hassle of exporting and importing the client certificate? 🙂

    As such, it’s not entirely clear what’s up with Safari on OS X, but it does work for most correctly.

    • Thanks Eddy 🙂 And I’m flattered that you checked out my blog!

      That’s definitely a good idea, but I know that most people will probably use the default browser so I thought it wise to leave instructions just in case.

      It works for most people correctly? Perhaps it’s an issue with a haxie like APE or something. Do you know if the issue existed before version 5.1?

  3. We received a couple of reports about Safari crashing, in the meantime no new reports recorded. Not sure if there was a bug or other issue, but it’s certainly not something that should happen (and actually never did before).

  4. Hi,

    Nice how-to… Thx a Billon.May I ask you which config in dot tk is the best within the following list?
    -Dns Forwrading?
    -TK Free DNS?If yes which type A, CNAME…?
    -or Custom DNS? If yes did you use startssl dns?

    Thank in advance to spend time for me

    • Hi Nicolas,

      My pleasure, glad it’s helping! 🙂

      Domain Forwarding won’t help here as it simply means the .tk domain will redirect you to another domain name.

      You should choose Free TK DNS if you don’t have an account with a DNS provider. You should choose Custom (3rd party) if you do. I chose Custom DNS as I have my DNS set up with ClouDNS.

      I’m going to assume you’ll choose Free TK DNS. In this case, the main thing you need to do to actually get the domain working is put an A record for your server’s IP address. For instance: A

      That’s one of the A records for this server. Yours will be like: A

      Now will point to your server. You just need to wait for it to propagate.

      If you need help with Google Apps, have a look at Google’s help pages, there’s plenty of info 🙂

      Good luck!

    • Hi Zeroedout,

      Not quite sure how I didn’t see this, sorry! I discovered this the other day, much to my frustration. I’ll have a look through to see if they still support any free ones, but I’m not sure if they do. Maybe we’ll have to put the cash for a domain 🙁

    • Hello again!

      Just had a look and it seems that is available to use! is available too. But hurry, are closing registrations permanently at the end of October 2012.


Leave a Reply

Your email address will not be published. Required fields are marked *