Free SSL certificate for 3 years and up to 100 domains

 More and more people reconfigured their sites to ssl connection. So I decided to use ssl certificate and secure connection on my blogs too.

The Chinese CA WoSign offers free SSL certificates which are valid for 2 years and may contain up to 100 domains each (multi-domain/SAN/UCC) which is very useful to host various domains on one single IP address (Better option than SNI if you still have Windows XP clients). Before you stop reading because you don't trust a Chinese company for your website encryption please keep in mind that you don't have to trust them at all! You generate the SSL key on your server and only send them the CSR (certificate signing request) which doesn't contain any private information.

 

Let’s get the certificate

 

1. Visit https://buy.wosign.com/free/ and register account. Use google translate.

1-ssl2-ssl

2. Enter the domain(s) that should be included in the SSL certificate in the first textbox, one per line. If you just enter "noteits.net", you will get the subdomain "www.noteits.net" automatically.

ssl request

3. Leaving the defaults is generally recommended: 3 year period, English language and SHA2 algorithm

4. Verify the domain(s) via either email to a special email account or via a special file you have to upload to http://noteits.net/noteits.net.html

5. Login to your webserver via SSH and generate a new SSL key and a Certificate Signing Request (CSR), for example with this command:

openssl req -out noteits.net.csr -new -sha256 -newkey rsa:2048 -nodes -keyout noteits.net.key

6. Select "Option 2: Generate by myself" to paste the CSR you just generated. You should never use the first Option since that implies that you are not the sole owner of your SSL key

7. Enter your email address and select a new password if you don't have a WoSign account yet.

8. Enter the captcha code, confirm the terms and conditions and Submit the request

9. The next page will confirm the request and show an estimated time of delivery. Keep in mind that the certificates are manually reviewed during Beijing-time business hours so it might take a few hours until you get the certificate

10. Next you will recieve an email with a link to a ZIP file containing your certificate.

letter ssl

11. Download it.

download cert

 

12. Now we need to set up a Web server (in my case Nginx) to work with the certificate.

  • Obtain all the intermediate certificates into ssl directory:
cd /path/to/ssl

wget -O – https://www.startssl.com/certs/ca.pem | tee -a ca-certs.pem > /dev/null
wget -O – https://www.startssl.com/certs/sub.class1.server.ca.pem | tee -a ca-certs.pem > /dev/null
wget -O – http://aia.startssl.com/certs/ca.crt | openssl x509 -inform DER -outform PEM | tee -a ca-certs.pem > /dev/null
wget -O – http://aia1.wosign.com/ca1g2-server1-free.cer | openssl x509 -inform DER -outform PEM | tee -a ca-certs.pem > /dev/null
wget -O – http://aia6.wosign.com/ca6.server1.free.cer | openssl x509 -inform DER -outform PEM | tee -a ca-certs.pem > /dev/null

 

‚Äčmake sure to configure OCSP stapling on your webserver since WoSign only operates OCSP responders in China which results in a bad latency for western visitors where the browser queries the OCSP responder before opening the connection. It might as well result in a privacy issue since WoSign a.k.a "the Chinese" know who visits which website. With OCSP stapling you effectively mitigate both problems.

 

  • Add conf below to /etc/nginx/nginx.conf
#########################################################
#
#
 ssl_session_cache shared:SSL:10m;
 ssl_session_timeout 5m;
 ssl_prefer_server_ciphers on;

 ssl_stapling on;
 ssl_stapling_verify on;
 ssl_trusted_certificate "/etc/nginx/ssl/ca-certs.pem";

 resolver 8.8.8.8 8.8.4.4 valid=300s;
 resolver_timeout 5s;
#
#
#########################################################
  • Add to your domain configuration

#########################################################

#

        ssl on;
        ssl_certificate /etc/nginx/ssl/noteits.net_bundle.crt.crt;
        ssl_certificate_key /etc/nginx/ssl/noteits.net.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'HIGH:!aNULL:!MD5:!kEDH';
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

#

#########################################################

  • Reload Nginx

service nginx reload

 

13. Make sure to test your implementation on the awesome Qualys SSL Labs server test

 

My result

A

 

or in cli

openssl s_client -connect noteits.net:443 -tls1  -tlsextdebug  -status

 

I would be happy to answer any questions you have!

Stay tuned!