Sunday, December 16, 2012

Free SSL for Your Web Application

This post documents my experience adding SSL support to my Web applications. Most of the steps here are applicable even if you choose a different SSL certificate provider and/or if you host your Web application on Heroku or Google App Engine.

Sign up with StartSSL

StartSSL offers free personal SSL certificates. These are not 30-day trials. The certificates will show your name, not a company name, but do give you all the technical benefits of SSL, such as encryption, the ability to run a SPDY server, and the ability to host background pages in Chrome.

The Web UI leaves a lot to be desired, but their pricing can't be beat. You need to perform the following steps.

  • Create an account
  • Verify your e-mail address
  • Get a client certificate
  • Export your client certificate somewhere safe
  • Verify your domain
  • Generate a CSR (details below)
  • Obtain a SSL certificate for your server
  • Build a SSL certificate chain (details below)

Generate a CSR

Most online tutorials have you generate a password-protected RSA key, which cannot be used automatically. Most deployment tools, as well as Heroku and Google Apps, require un-encrypted RSA keys behind your certificates. Use the command below to generate a CSR with an un-encrypted key.

openssl req -new -newkey rsa:2048 -sha256 -nodes -keyout server_name.pem -out server_name.csr -batch

Replace server_name in the command with your server's name. If you want to generate CSRs for other providers, leave out the -batch at the end of the command and carefully answer the openssl prompts.

At the time of this writing, the StartSSL Web UI expects the CSR in a textarea input field, so open server_name.csr and copy-paste its content into the provided textarea.

After the CSR is provided to StartSSL, the .csr file can be deleted. However, hang on to the .pem file storing your server's private key!

Build a certificate chain

StartSSL's Web UI currently provides the server certificate in a textarea on a page that also points to the relevant CA certificates. However, most server software expects all the certificates to be bundled in a single file. Follow these steps to put together the certificate bundle.

First, open cert.cer in a text editor and copy-paste the StartSSL certificate text from the textarea.

gedit server_name.cer

Download StartSSL's root CA and intermediate CA certificates.

curl > ca.pem
curl > ca2.pem

Last, put together the certificate bundle.

cat server_name.cer ca2.pem ca.pem > server_name.crt
rm server_name.cer ca.pem ca2.pem

For consistency, replace server_name in the command above with the same name that you used for the .pem file.

Set up your server for SSL

If you use nginx as your front-end server, you're in luck. Merge the bits below into your configuration file, and your application should support SSL without any further changes.

http {
  listen 443;
  ssl on;
  ssl_certificate /path/to/server_name.crt;
  ssl_certificate_key /path/to/server_name.pem;

  location / {
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Host $host;