Free SSL Certificate to Ispconfig websites with Startssl – How to

This article will go through the complete process in order to obtain, install and run an SSL Webserver Certificate for free with ISPConfig3 and Startssl dot com.
Some years ago i discovered this useful service for generating Class 2 webserver certificates, very useful to offer your user a secure, encrypted connection over wich they can send their data reducing the risks of being sniffed (i’ll write something about sniffing).

Good news! We can obtain our SSL certificate for free.
Just follow this tutorial and you will end up with a new FREE SSL certificate for your domain(s).

Let’s login on the ISPConfig admin web interface

Before you start:
Remember also to enable the NameVirtualHost in apache2 configuration otherwise just the first virtualhost will have a valid certificate (which one depens on how the config files are sorted during the apache startup process, usually the first read conf file, then you will see overlapping messages in the apache2 error log), very easy with ISPConfig, just refer to the image below to setup your ISPConfig, once done, go trhough your websites and enable the ssl for every websites (I’m sorry i just wrote Italian on the pic…little confusion):

This image shows the ISPConfig3 name virtualhost ip address configuration
ISPConfig3 name virtualhost ip address configuration

Choose the website you are about to install the certificate for from the “Sites” panel. In the first tab of the Web Domain management check the SSL checkbox and save. As follows:

ISPConfig Web Domain Admin - Enabling Web Domain SSL
This picture shows the ISPConfig admin panel, where you can enable teh SSL features from a single client domain or subdomain.

Then, go to the SSL tab of the Web Domain management, select “CREATE CERTIFICATE” from the “SSL ACTION” dropdown menu at the bottom of the page, then save. Just like the following picture:

ISPConfig admin panel form for CSR certificate request Creation
This picture describes the process to be followed in order to obtain a CSR certificate request for a client Web Site directly within the ISPConfig3 admin panel.

This will end like the following image:

Picture showing what you get after the CSR creation
This image shows what you will get right after the CSR creation

Now we have to go through several steps on startssl website, but don’t worry as it is all well documented and anyone can succesfully install an SSL certificate.
If you are here, you probably already have or will have soon a account so let’s login to and go to your “Control panel”, and then select “Validation Wizard” from the three tabs on the middle-left of the page, as shown in the following picture:

Image showing the startssl validation wizard menu page
How to go to the startssl validation wizard

Now, you have to validate your domain: this is for startssl to be sure you are the owner of the domain or, at least, authorized to act as the owner; basically startssl will do a whois query, extracting all email addresses related to the choosen domain and it will prompt them to you for choosing the one on wich you want to receice a confirmation code to validate the domain.
You should see yours here. If it is not, you should manage to be so and unless you have done, you cannot go further on this guide.
Here select “Domain Name Validation” from the drop down and hit “Continue”.
The following image shows this step:

Picture showing the Domain validating process
In this picture is shown the initial validating process for a domain name.

Now you have to insert the TLD domain you want to secure in this form, as follows. Don’t use subdomains even if you want to secure just one of them, the TLD is mandatory and the certificate file will work for both (domain and subdomain). Carefully chosse the domain extension and hit “Continue”

This picture shows the Domain Name Validation form on startssl dot com
You can see here how to fill the domain name field on the domain validation form on startssl

This image shows the selection of the verification email address

Then you will receive an email message from

StartCom CertMaster <>

containing your verification code; Copy it and go back to the startssl website where you should have a page requesting for that code. Paste in the verification code and hit “Continue”, just like the following image:

This picture shows the Domain Name Verificatio final step on Startssl dot com
Here is shown how to complete the Domain Name Verification process by verifying the code.

Remember: you have 15 minutes until the verification code exipres. If so go back and re-do it quickly!Once you paste the correct code, you have finished and you should see a confirmation messages like the following image:

This image shows the completed domain name verification process on Startssl dot comprocess
Picture showing the final step to the Domain Name Verification on Startssl dot com

At this point we will start generating our certificate file, selecting “CERTIFICATES WIZARD” from the three green tabs. Once there, you will be asked for the “Certificate Purpose” and you have to choose “Webserver SSL/TSL Certificate” from the drop-down menu as shown in the following picture:

This picture shows the first step getting the SSL free certificate from startssl
This picture shows the first step getting the SSL free certificate from startssl

After this, you will be asked to generate a new private key or use an existing CSR request: you want to use your existing one, remember the one generated with ISPConfig. So as shown in the following picture: just hist “SKIP”.

Picture showing the step to be skipped in our setup process
Picture showing the step to be skipped in our setup process

In the next form we need to paste the CSR generated by ISPConfig at one of the first steps (the one called “SSL Request” on the ISpconfig Web Domain SSL panel).
Just copy and paste it paying attention in order to NOT copy any other digit or blank spaces outside the two delimiters:




just like the following image:

This picture shows the step needed to correctly submit you CSR
Here is shown how to submit your CSR to the certificates wizard of startssl dot com

After submitting your CSR you will see the page show in the following image:

This picture shows the confirmation for the correct CSR submission
This page confirms you have correctly pasted and uploaded your CSR to startssldot com

Then Hit “CONTINUE” and in the next step you are asked to choose the “ROOT” domain name to generate the certificate for.
as shown here:

this image shows the root domain selection during the certificate generation on startssl
Here is shown the root domain selection during the certificate generation on startssl

Now it’s time to type wich subdomain will be covered from this certificate as well: here you could type just “www” to have the certificate working for example both on



As you can see from the following image, i typed as subdomain because i already have a certificate for so i can show you the complete steps.

Picture showing the page wich you use to add subdomains to the certificate request
You can see how to add subdomains for the FREE class2 startssl certificate

Now Startssl is ready to process your certificate request and it will confirm you the domain this certificate is going to work on:

this picture shows the confirmation of the certificate process
Startssl ready to issue your certificate

Just Hit enter here.

Should you see an “Additional Check Required” page, don’t worry, it is normal. It happends just when you generate 2 certificate for the very same root domain in a few hours (this is the second to me in a couple of hours). All you have to do this case is to seat back, relax and wait for the email wich will for sure confirm your certificate issuing.

Startssl additional check required
Startssl additional check required

In this case, you should receive the email very soon (mine arrived in minutes) and it will tell you to retrieve your certificate from the control panel, so go to the startssl control panel, and then click on the first green tab called “Toolbox” and choose “RETRIEVE CERTIFICATE” as shown and download both the Certification Authority (CA) and the Class 1 Intermediate Server, and paste both one after the other, into the “SSL Bundle” textarea on the ISPConfig ssl admin panel.

Image showing the certificate file content
Here is where to select and copy your certificate to your clipboard

You will be presented a page to copy the certificate file to be pasted into the “SSL Certificate” on ISPConfig ssl config page and to download the CA.pem to be pasted into the “SSL Bundle” textarea in the ISPConfig ssl panel. I don’t have this image because, as you know, i have had the Additional Check…
You can follow the remaining steps to complete the tutorial

Then you finally can paste your certificate into teh ISPConfig ssl admin page for your site as follows, and Remember: the content you find in “SSL Certificate” textbox already, is not necessary and HAS TO BE OVERWRITTER by new one

Image showing the necessary step to save your new certificate
Here is shown how to update the certificate within ispconfig

Now save and finally let’s take the next and final step!
This will consist of adding the Certification Authority to our setup
You should already saved it when downloaded from startssl, so let’s open it, and copy the full content to your clipboard. If you didn’t already get it, you can find it in the Startssl Toolbox, under the menu “StartCom CA Certificates” and you should download the ca.pem by clicking on “StartCom Root CA“. Once downloaded, open it, select all and copy the full content, paying attention to the delimiters (see up in the post) and finally paste it into the ISPConfig ssl tab in the “SSL Bundle” textbox, as follow

This image shows the final step of adding CA.pem to the ISPConfig3 WebDomain SSL configuration.
This image shows the final step of adding CA.pem to the ISPConfig3 WebDomain SSL configuration.

Now all you have to do is to wait some minutes to let ISPConfig do its stuff and then, you can go on your browser and type “” in the address bar, obviously replacing my domain with yours, to see if all works. If all went fine you should see:

Image showing SSL certificate working
SSL certificate working

When done, you can check the status of your certificate here.
Hope this will help

(Visited 36,952 times, 1 visits today)

Author: Giuseppe Urso

Giuseppe lives in Haarlem now with his shiny dog, Filippa In 1982 received his first home computer, a Commodore 64, followed by Datasette and a 1541 Floppy Disk Drive. In 1999 he installed his first Linux distro (LRH6). In 2006 he switched to Debian as favourite OS. Giuseppe Urso actively sustains the Free Software Fundation and his founder Richard Mattew Stallman, he speaks to people trying to convince them to join the fight now, and about how important is to use Free Software only. He has a job as Infra Specialist at Hippo Enterprise Java Cms an Open Source Enterprise class Content Management System, one of the coolest company ever, in Amsterdam. He's always ready to install Debian on other people computers for free.

20 thoughts on “Free SSL Certificate to Ispconfig websites with Startssl – How to”

  1. When I originally commented I clicked the “Notify me when new comments are added” checkbox and now each time a comment is added I get three emails with the same comment.
    Is there any way you can remove me from that service? Thanks!

  2. Thanks for some other fantastic post. Where else could anybody get that
    kind of information in such an ideal means of writing?

    I’ve a presentation subsequent week, and I’m on the search for such information.

  3. Excellent tutorial! I made the mistake of not reading it before trying to set things up properly…

    I think that I followed it correctly now, but then I always get a timeout when trying to connect to the site(s) with https. Then again, it might either be WordPress or CloudFlare acting up, since I have no problems in accessing ISPConfig 3 itself, or other non-WordPress applications which also use HTTPS…

    1. Not 100% sure but if you get timeout, check whether apache is listening on port 443.
      Try for instance to telnet to that very hostname like ‘telnet 443’; if you get timeout this way is likely that apache is not listening on port 443.
      Then check apache2 port.conf (on debian is /etc/apache2/ports.conf), that could be one reason, because i think the ispconfig vhost configuration ensure that port open on its very config file.
      And let me know!!


      1. Ah thanks. However, I’m not using Apache, I’m using nginx. So it’s something a bit more trickier somewhere! All I can say is that I have a lot of non-WP sites having no problem with SSL, so I truly think that the problem is “somewhere” between WP and CloudFlare…

        1. Cloudflare? I assume it is your provider… Not sure that should be transparent. You can try some browser addon to see the server answer with a specific vhost name. The headers i mean, that would probably help debugging.
          I never use nginix if not as rev proxy. Let me know


          1. My apologies for only answering today!

            Sorry, I assumed automatically that everybody in the world was using CloudFlare by now — silly of me. CloudFlare is a very simple to configure free CDN: point your DNS servers to CloudFlare, and it will cache your domain automagically, and serve it from two dozens of datacentres around the world. And it will protect it against hacker attacks and spammers as well…

            The problem I had was that only their premium service supports SSL. It’s still very cheap (compared to the more classical CDN alternatives). If you point your root domain (e.g. to CloudFlare, then it will obviously redirect all traffic for ports 80 and 443 to their own IP addresses. It will cache and proxy for your own domain on port 80, but, on the free service, it will block port 443.

            The only way to make it work is to add a subdomain just for port 443 (say, and disable CloudFlare on it. It took me some time to find this simple answer:

  4. Thanks, but you lost me. I don’t now how but it works, so thanks for this. But I’m not sure if I did everthing ok. After “POTENTIAL PROBLEM:” you lost me. I don’t understend which is copied where? Can you explained it again please, and this time in more details?

  5. Wonderful article.

    Just a point. StarCom certificates doesn’t seem to be at “Retrieve Certificates” anymore. Instead, you can find in a different section called “Starcom SSA certificates”

    @Mihai, you shouldn’t worry about this problem. It only applies if you generate two or more certificates in a short period. Just copy the 2 starcom certificates into SSL Bundle.

  6. Hi. Thanks for the post, I have followed the tutorial, but just after clicking “Save” after creating the ssl certificate as instructed in step 3, then my website became unavailable both the ISPConfig admin and the website I was creating the sertificate for. what is it that I may have done wrong?

    I have enabled NameVirtualHost in apache2


    1. Hi, information provided are not sufficient in order to suggest you a valid fix. Could you paste access and error log entries after you visit the site?


  7. Hi and thank you for the great tutorial!

    I’ve followed all the steps, everything went well. Unfortunately, I can’t connect to my website over https, even after an Apache restart. Is looks like nothing has changed.

    The .vhost file for my site seems properly configured:

    DocumentRoot /var/www/

    ServerAlias *

    My ports.conf is:
    NameVirtualHost *:80
    Listen 80

    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
    Listen 443

    Listen 443

    Any idea?



Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.