How to obtain and install an FREE SSL/TLS certificate for personal website?

As you known, since August 2014, Google announced that theyre starting to use HTTPS as a ranking signal. Don’t care about it too much because it is simply one more ranking signal among the other speculated 200 signals Google uses to rank websites. But it has stated that this may change over time as Google encourages all site owners to switch from HTTP to HTTPS.
Are you Webmaster? Or you owned one or more than one websites? In this article I’ll describe how to get a FREE SSL/TLS certificate as a simple case without pay $50-$60 for similar services.

Why you can’t use a self-signed certificate

Yes, you can self-signed your certificate and implent it into your server but it is NOT verified or it is not a valid certificate. When a visitor come to your website, they will get a warning message about the un-secured connection and ask they install the certificate (by trusting it permanently). Why?
When you connect via a browser to a secure website, for instance, the browser does some handshaking with the server, receives a certificate which contains a public key and some other fielded data, and then turns to a CA to confirm that the certificate is valid. If the certificate has a valid signature from a third party that your browser trusts, then it will trust the remote server. That’s mean you need a person / organizer to confirm your certificate is valid. That’s where certificate authorities (CAs) come in. A CA is a group that provides some validation, from cursory to extensive (in the case of Extended Validation certificates), that the party that signed up for a certificate for a given domain name is approximately that entity.

How To Get Your Very Own Free SSL Certificate

Most Certificate Authorities (CA) charge a lot of money to verify your company to use an SSL certificate. For those us who don’t run mission critical portals, that is not an option. You can get one free from StartComSSL and CAcert.
They were:

• The main technical disadvantage would only be that if a free CA is not widely accepted by browser or operating system makers, then the certificates they generate may also not be trusted.
• Only class-1 validation are free. That is I can have a certificate that validates my identity.
• I didn’t get a reminder email when the certificate expired. Having to renew the certificate every year.
• A certificate is only valid for one domain is quite limiting. Every different subdomain needs its own certificate; they can’t use UCC or wildcards. This may get complicated quickly.
• You must backup your keys based on an installed client certificate in your browser, they don’t backup for you. This can be an issue if you change computers or upgrade your OS and didn’t keep a backup of installed client certificates.
• There are two things that could cost you money.
  1. You need more features or full features of SSL/TSL certificate, they’ll ask you to pay for a higher level certificate.
  2. If your certificate needs to be revoked someday, they will charge you a fee.

Get FREE SSL/TSL Certificate from StartComSSL

StartCom’s StartSSL service offers a Class 1 certificate at no cost, with fees for higher levels of identity validation. Essentially, you pay for validations, not certificates.

• A basic Class 1 certificate doesn’t validate all your details; email to a known domain contact address is the only real check.
• A Class 2 or 3 certificate with your identity or your organization’s identity is $60 for two years. An extended validation certificate, which uses an industry standard for checking a submitter’s details, is $140 for two years, and will tell a browser to show a green bar on connection.

To get started, visit their signup page and enter your information.

They’ll email you a verification code. They tell you to not close the tab or navigate away from it, so just keep it open until you get the code, and can paste it in.
You’ll need to wait for certification, but it should only take a few minutes. Once you’re approved, they’ll email you a special link and a verification code to type in.
That’ll bring you to a screen to generate a private key. They’re generating you this private key inside your browser. They will ask you to Generate a private key and you will be provided with the choice of High or Medium grade. Go ahead and choose High. However, this isn’t the key you use to make your SSL certificate. They’re using it to create a separate “authentication certificate” that you will use to log in to StartSSL’s control panel going forward. You’ll make a separate certificate for your website later.
Once your key is ready, click Install. This means your browser is now authenticated with your new certificate and you can log into the StartSSL authentication areas using your new certificate. Click on the Control panel link again, and choose the Authenticate option.

You will need to validate your domain name to prove that you own the domain you are setting up a certificate for. Click over to the Validations Wizard and set Type to Domain Name Validation.

Check the email inbox for the email address you selected. You will get yet another verification email at that address, so like before, copy and paste the verification code into the StartSSL website.
Next, go to the Certificates Wizard tab and choose to create a Web Server SSL/TLS Certificate. After provide Private Key Password you will receive a private RSA SSL key

When you click continue, you will be asked which domain you want to create the certificate for:

You will be asked what subdomain you want to create a certificate for. In most cases, you want to choose www here, but if you’d like to use a different subdomain with SSL. Then you get a confirm page before Processing Certificate

When StartComSSL finished, you save your certificate as ssl.crt then use it for your VPS.
Don’t for get to save the StartCom Root CA and StartSSL’s Class 1 Intermediate Server CA in order to authenticate your website though, they provide the links about Finish button or you can find it in Toolbox panel and choose StartCom CA Certificates.

CAcert Free Certificate Authority

CAcert is the completely free Certificate Authority. But the most disadvantages is CAcert Certificates aren’t currently trusted in any major browsers.

• It is currently only included in a few open source operating systems.
• You must complete a face-to-face validation for a certificate that lasts more than 6 months.
• No EV SSL Certificates are offered.

You can get your own free CAcert by following their register form.

Setting up SSL/TSL for Nginx and Apache web server

For security reasons, StartSSL encrypts your private key (the ssl.key file), but your web server needs the unencrypted version of it to handle your site’s encryption. To unencrypt it, copy it onto your server, and use the following command to decrypt it into the file private.key:

$ openssl rsa -in ssl.key -out private.key

OpenSSL will ask you for your password, so enter it in the password you typed in on StartSSL’s website. Alternatively you can also use the Tool Box decryption tool of your StartSSL™ account.

Prerequisites

Before we get started, here are the list of things you need prepared:

• ca.pem – StartSSL’s Root certificate
• private.key – The unencrypted version of your private key (be very careful no one else has access to this file!)
• sub.class1.server.ca.pem – The intermediate certificate for StartSSL
• ssl.key – The encrypted version of your private key (does not need to be copied to server)
• ssl.crt – Your new certificate
• make sure port 443 is open on your web server.

Activating SSL/TSL certificate for Nginx

We’re storing all requirement files ing /etc/nginx/certs/
Download the intermediate certificate from StartSSL:

# wget https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem

Create a unified certificate from your certificate and the CA certificates:

# cat ssl.crt sub.class1.server.ca.pem ca.pem > /etc/nginx/certs/ssl-unified.crt

Configure your nginx server to use the new key and certificate (in the global settings or a server section):

server {
listen 80;
server_name narga.net;
return 301 https://$host$request_uri;
}
 
server {
listen 443 ssl;
server_name narga.net;
 
ssl_certificate /etc/nginx/certs/ssl-unified.crt;
ssl_certificate_key /etc/nginx/certs/private.key;
}

# An example nginx configuration from narga.net

Finally, restart your nginx service and don’t forget to check its configuration are valid.

$ nginx -t 
$ sudo systemctl restart nginx

Activating SSL/TSL for Apache server

First of all you have to load the mod_ssl module. Enable Apache’s SSL module, and restart Apache.

$ sudo a2enmod ssl
sudo systemctl restart httpd
sudo mkdir -p /etc/httpd/ssl

Copy the files you set up in the previous section into the /etc/httpd/ssl folder on your VPS.

To configure a default SSL/TLS aware virtual server, you should add at least the following lines to your httpd.conf or ssl.conf file:

LoadModule ssl_module modules/mod_ssl.so

Listen 443


   DocumentRoot /home/httpd/private
   ErrorLog /usr/local/apache/logs/error_log
   TransferLog /usr/local/apache/logs/access_log
   SSLEngine on
   SSLProtocol all -SSLv2
   SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM

   SSLCertificateFile /usr/local/apache/conf/ssl.crt
   SSLCertificateKeyFile /usr/local/apache/conf/ssl.key
   SSLCertificateChainFile /usr/local/apache/conf/sub.class1.server.ca.pem
   CustomLog /usr/local/apache/logs/ssl_request_log \
      "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

If everything looks good, try accessing your site in your web browser using an HTTPS URL, if you find green lock you’ve done.
Reference Links:

• How To Set Up Apache with a Free Signed SSL Certificate on a VPS
• Switch to HTTPS Now, For Free
• Install StartComSSL for Apache Web Server
• Install StartComSSL for Nginx Web Server