This article will go through the complete process in order to obtain, install and run an SSL Webserver Certificate for free with ISPConfig3 and Startssl dot com.
Some years ago i discovered this useful service for generating Class 2 webserver certificates, very useful to offer your user a secure, encrypted connection over wich they can send their data reducing the risks of being sniffed (i’ll write something about sniffing).
Good news! We can obtain our SSL certificate for free.
Just follow this tutorial and you will end up with a new FREE SSL certificate for your domain(s).
Let’s login on the ISPConfig admin web interface
Before you start:
Remember also to enable the NameVirtualHost in apache2 configuration otherwise just the first virtualhost will have a valid certificate (which one depens on how the config files are sorted during the apache startup process, usually the first read conf file, then you will see overlapping messages in the apache2 error log), very easy with ISPConfig, just refer to the image below to setup your ISPConfig, once done, go trhough your websites and enable the ssl for every websites (I’m sorry i just wrote Italian on the pic…little confusion):
Choose the website you are about to install the certificate for from the “Sites” panel. In the first tab of the Web Domain management check the SSL checkbox and save. As follows:
Then, go to the SSL tab of the Web Domain management, select “CREATE CERTIFICATE” from the “SSL ACTION” dropdown menu at the bottom of the page, then save. Just like the following picture:
This will end like the following image:
Now we have to go through several steps on startssl website, but don’t worry as it is all well documented and anyone can succesfully install an SSL certificate.
If you are here, you probably already have or will have soon a startssl.com account so let’s login to Startssl.com and go to your “Control panel”, and then select “Validation Wizard” from the three tabs on the middle-left of the page, as shown in the following picture:
Now, you have to validate your domain: this is for startssl to be sure you are the owner of the domain or, at least, authorized to act as the owner; basically startssl will do a whois query, extracting all email addresses related to the choosen domain and it will prompt them to you for choosing the one on wich you want to receice a confirmation code to validate the domain.
You should see yours here. If it is not, you should manage to be so and unless you have done, you cannot go further on this guide.
Here select “Domain Name Validation” from the drop down and hit “Continue”.
The following image shows this step:
Now you have to insert the TLD domain you want to secure in this form, as follows. Don’t use subdomains even if you want to secure just one of them, the TLD is mandatory and the certificate file will work for both (domain and subdomain). Carefully chosse the domain extension and hit “Continue”
Then you will receive an email message from
StartCom CertMaster <firstname.lastname@example.org>
containing your verification code; Copy it and go back to the startssl website where you should have a page requesting for that code. Paste in the verification code and hit “Continue”, just like the following image:
Remember: you have 15 minutes until the verification code exipres. If so go back and re-do it quickly!Once you paste the correct code, you have finished and you should see a confirmation messages like the following image:
At this point we will start generating our certificate file, selecting “CERTIFICATES WIZARD” from the three green tabs. Once there, you will be asked for the “Certificate Purpose” and you have to choose “Webserver SSL/TSL Certificate” from the drop-down menu as shown in the following picture:
After this, you will be asked to generate a new private key or use an existing CSR request: you want to use your existing one, remember the one generated with ISPConfig. So as shown in the following picture: just hist “SKIP”.
In the next form we need to paste the CSR generated by ISPConfig at one of the first steps (the one called “SSL Request” on the ISpconfig Web Domain SSL panel).
Just copy and paste it paying attention in order to NOT copy any other digit or blank spaces outside the two delimiters:
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
just like the following image:
After submitting your CSR you will see the page show in the following image:
Then Hit “CONTINUE” and in the next step you are asked to choose the “ROOT” domain name to generate the certificate for.
as shown here:
Now it’s time to type wich subdomain will be covered from this certificate as well: here you could type just “www” to have the certificate working for example both on
As you can see from the following image, i typed test.blog as subdomain because i already have a certificate for blog.giuseppeurso.net so i can show you the complete steps.
Now Startssl is ready to process your certificate request and it will confirm you the domain this certificate is going to work on:
Just Hit enter here.
Should you see an “Additional Check Required” page, don’t worry, it is normal. It happends just when you generate 2 certificate for the very same root domain in a few hours (this is the second to me in a couple of hours). All you have to do this case is to seat back, relax and wait for the email wich will for sure confirm your certificate issuing.
In this case, you should receive the email very soon (mine arrived in minutes) and it will tell you to retrieve your certificate from the control panel, so go to the startssl control panel, and then click on the first green tab called “Toolbox” and choose “RETRIEVE CERTIFICATE” as shown and download both the Certification Authority (CA) and the Class 1 Intermediate Server, and paste both one after the other, into the “SSL Bundle” textarea on the ISPConfig ssl admin panel.
INSTEAD IF ALL GOES FINE
You will be presented a page to copy the certificate file to be pasted into the “SSL Certificate” on ISPConfig ssl config page and to download the CA.pem to be pasted into the “SSL Bundle” textarea in the ISPConfig ssl panel. I don’t have this image because, as you know, i have had the Additional Check…
You can follow the remaining steps to complete the tutorial
Then you finally can paste your certificate into teh ISPConfig ssl admin page for your site as follows, and Remember: the content you find in “SSL Certificate” textbox already, is not necessary and HAS TO BE OVERWRITTER by new one
Now save and finally let’s take the next and final step!
This will consist of adding the Certification Authority to our setup
You should already saved it when downloaded from startssl, so let’s open it, and copy the full content to your clipboard. If you didn’t already get it, you can find it in the Startssl Toolbox, under the menu “StartCom CA Certificates” and you should download the ca.pem by clicking on “StartCom Root CA“. Once downloaded, open it, select all and copy the full content, paying attention to the delimiters (see up in the post) and finally paste it into the ISPConfig ssl tab in the “SSL Bundle” textbox, as follow
Now all you have to do is to wait some minutes to let ISPConfig do its stuff and then, you can go on your browser and type “https://test.blog.giuseppeurso.net” in the address bar, obviously replacing my domain with yours, to see if all works. If all went fine you should see:
When done, you can check the status of your certificate here.
Hope this will help