STARTSSL, free SSL certificate application and Precautions

Free SSL certificate, https://www.startssl.com/

Installing to IIS differs from Nginx. Original http://blog.newnaw.com/?p=1232

------------Transferred from http://blog.newnaw.com/?p=1232-----------------------

Key part Red

If a Web site needs to provide HTTPS encrypted access, you must have a valid SSL certificate to prove your identity to the client. SSL certificates are usually issued by third-party organizations, with domain Validation (DV), organisation Validation (OV) and Extended Validation (EV) three levels, each corresponding to three levels of authentication from low to high, DV more relaxed, Ev the most stringent. Different certification methods, prices are different. such as DV-level certificate, STARTSSL can apply for a year free of charge, GeoTrust is 149$ each year, GoDaddy is 69.99$ each year, China's million-net price is 4200￥ per year. Personal use is of course the STARTSSL provides the highest cost performance, although free, but still in the Chrome,firefox,ie and other mainstream browser built-in trusted root certification authority, if it is used by commercial or institutional, you can choose the top certification authority (of course, does not include the flow of millions of networks), Demonstrate identity. Here's how to apply for a free certificate on startssl.com and deploy it to IIS.

1. First, you need to register on the startssl.com. The site is a client certificate authentication method, so the process of registration is to fill in their data, the mail received the verification code, and then obtain and install in the browser Startssl a client certificate generated. In this way, when you log in to startssl.com as yourself, you will need to access startssl.com directly from the browser where you installed the above step certificate, without having to enter the username password. After this authentication certificate is lost, it is only possible to re-enroll, so it is recommended that you back up the certificate, as described in how do I backup my client certificates. After you have backed up, you can install the certificate on another computer or browser to make it easy to log in to startssl.com.

2. After registration, to apply for a certificate to a domain name, you need to verify the domain name to prove that you are the owner of the domain name. Startssl is using the domain name owner mailbox verification, so in the Validations Wizard, select Domain name Validation, follow the wizard to complete the verification.

3. The next step is to request an SSL certificate for the authenticated domain name. Select Web Server SSL/TLS Certificate in the Certificates wizard, and then go to the Create private key (Generate private key) step.
　　

Because SSL/TLS uses asymmetric encryption, the private key and public key must be combined to establish a proper secure connection. The private key is held by the server side, confidential, private, and public key is included in the certificate that the client sees when it accesses the HTTPS Web site, which is obtained when the client accesses it. The public and private keys are correctly paired before a secure connection can be established. Fill in the 10-bit password protected by the private key file, continue,
　　

To get a piece of encrypted text, save the text as a. Key file, such as Privatekey.key, as a private key. Here you can also pre-use the OpenSSL tool or the IIS Wizard to generate a certificate request (. csr file) that contains your own extra information and contains the private key, so you can skip the Generate private key step. Then select the domain name you want to create a certificate for, and enter a subdomain, and the final request certificate will work on that subdomain.
　　

Startssl's free certificate can only be used for a subdomain, if you want to request a certificate for multiple subdomains or to request a certificate in the form of a wildcard, you will need to pay for the Class2 level certificate they provide. Continue to the next step, after confirmation, you can get a text that is a signed certificate issued to your website by Startssl, Save it as a. crt file, such as SSL.CRT (this certificate is a file that is available when a Web site client accesses an HTTPS connection, essentially a file that contains the public key, the server name, the CA authentication signature, and other information). Also in this interface it is best to follow the prompts to save an intermediate (intermediate) certificate file Sub.class1.server.ca.pem, which may be used in some places.
To this, we got a privatekey.key private key file, a SSL.CRT certificate file (containing the public key), and a SUB.CLASS1.SERVER.CA.PEM intermediate certificate file. Before configuring the SSL.CRT public certificate file for your website, we also need to generate two files that might be used elsewhere. The first is the decrypted private key file (decrypted private key), such as the one needed to deploy the certificate in Nginx. This step can be done with the Toolbox–>decrypt Private key tool provided by the OpenSSL tool or the startssl.com website, saving the results as Decryptedprivatekey.key.The second is the pkcs#12 archive file (*.pfx or *.P12), which essentially contains the. CRT certificate file for all content, the private key, and the encrypted information file, which is required when deployed in IIS. The Toolbox–>create pkcs#12 (PFX) file tool, available on the startssl.com Web site, can be used to pass in the private key file Privatekey.key and the certificate file Ssl.crt, resulting, Save as PFXARCHIVE.P12.
4. Deploy the certificate on the computer that corresponds to the domain name, for example, IIS. The operation process is very simple, in the IIS root node of the server certificate function, right-click, import, according to the wizard to enter the Pfxarchive.p12 file just received,
Finally, in the IIS Web site bindings, specify port 443 to use the certificate that we imported.
This way, when you access this website with HTTPS, you will be able to see the certificate we have requested.

STARTSSL, free SSL certificate application and Precautions