Installing Class 1 StartSSL Certificate on Debian

To install a Class 1 StartSSL Certificate on Debian first you will need to obtain both your private key and certificate from StartSSL’s website and upload them to your server. I’d recommend that you keep both the Webserver SSL/TLS Certificate and StartSSL’s CA Certificates in a secure directory for the website it is to be used by (i.e. a directory not accessible by HTTP).

Step 1: Assuming you have encrypted your private key when generating it on StartSSL’s website you will need to decrypt the key on your server or a password will be required whenever the HTTP server restarts.
Doing this is simple, login via SSH to your server and go to the directory containing your certificate and (assuming the file is named ssl.key) type the following:

openssl rsa -in ssl.key -out ssl.key

openssl should then request the password for the private key and decrypt it.

Step 2: Once the key is decrypted we need to download StartSSL’s Certificate Authority Certificates. For the Class 1 certificate we only need ca.pem and sub.class1.server.ca.pem
So again in your SSH console type the following 2 commands:

wget https://www.startssl.com/certs/ca.pem
wget https://www.startssl.com/certs/sub.class1.server.ca.pem

Once you have downloaded these files you should set the permissions to read only by the file owner (chmod 400 *)

Step 3: Assuming you have already enabled SSL for your HTTP server you only need add the SSL certificate and CA Certificates to your virtual host, in apache we do this by creating something like the following:

<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/vhosts/example.com/public_html/
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /path/to/ssl/certificate.crt
SSLCertificateKeyFile /path/to/ssl/certificate.key
SSLCertificateChainFile /path/to/ssl/ca/certificate/sub.class1.server.ca.pem
SSLCACertificateFile /path/to/ssl/ca/certificate/ca.pem
SetEnvIf User-Agent “.*MSIE.*” nokeepalive ssl-unclean-shutdown
<VirtualHost>

If you have not already enabled SSL in apache you can do so by moving the file mods-available/ssl.load to the mods-enabled directory (typically these can be found in /etc/apache2/)

All that is left is to restart the HTTP server (for apache this would be /etc/init.d/apache2 restart) and as long as there are no errors your certificate is ready for use!

About tc

tc is a Hull based Computer Programmer with over 15 years experience in Software Development. He has developed countless Multi-Tear Desktop Applications and web applications for business in both the UK and abroad. Currently tc spends most of his time developing web sites / applications in PHP and desktop software in C#
This entry was posted in Debian, Linux, Security and tagged , , , , , . Bookmark the permalink.

Comments are closed.