Free SSL certs

Dieselboy · April 13, 2016, 11:11:25 PM

I've been using a different SSL provider to obtain free SSL certs for a few things. This came in very handy when I needed to quickly provision a temporary ADFS 2.0 server for SAML SSO because SSL certs can be costly and any cost needs management approval. For something that's temporary or wont be in service long, paying $99 sometimes might be troublesome obtaining approval.

My sys admin guy has come across this new, free SSL authority called LetsEncrypt: https://letsencrypt.org/how-it-works/

I was hoping I could get a wildcard or SAN cert from LetsEncrypt, but need to look into that still (don't think it is possible). Just thought I'd post here in case anyone hasn't seen this yet

wintermute000 · April 13, 2016, 11:27:54 PM

I use these guys for the free cert on my VPS. Does the job (HTTPS and SMTP / IMAP TLS)

https://www.startssl.com/

Downside: needs to renew every year, not two. Also if you lose the client cert they give you for the control planel, you're SOL. And weak (SHA-1).

Upside: free, for my hobby VPS / mail domain it does the job

Dieselboy · April 14, 2016, 05:09:04 AM

I'm using startSSL. Yes the only pain is renewing. And if you make a mistake then you are a bit stuck or an option is to pay to have the cert revoked so you can go through the process again but it can be costly that way. Fortunately, they have re-done their website so it's now easier to go through the process and is a bit more explanatory / clear; so less chance of a mistake. In fact the cert process is only 2 steps on there (once you're set up). First step is to enter the FQDN and the second step is to paste in the CSR.

What does SOL mean?

Could you elaborate on that startSSL are weak due to sha-1? The only place I see that is the thumbprint algorithm, and that is the same as GoDaddy.
Otherwise the signature hash is sha-256 and the public key is 2048, again same as what we have recently sourced from GoDaddy. What did I miss?

deanwebb · April 14, 2016, 08:26:23 AM

SOL = S*** Out of Luck

SHA-1 is eroding away as a secure hash algorithm. It's time to go to SHA-2 before SHA-1 is compromised, which will be soon.

wintermute000 · April 14, 2016, 11:06:33 PM

Sorry, the cert itself is SHA256 but the intermediate Startcom CA that is in the signing chain is SHA1 (and chrome will helpfully warn you if you click on the cert). Perhaps this has gotten fixed.

Dieselboy · April 16, 2016, 07:01:06 AM

Gotcha!
The root cert is sha1 but the intermediate is sha256. I did notice there were new certs this year, but didn't look into it. I just uploaded the root and intermediate in the trust store

Hopefully they move to something better, thanks for the heads up and the explanation

Otanx · April 16, 2016, 09:31:33 AM

The root cert being sha1 isn't an issue yet. As long as your cert is 256 browsers will be happy. If you want to check your settings I found this while doing some work testing our new A10s.

https://www.ssllabs.com/ssltest/

-Otanx

wintermute000 · May 01, 2016, 05:17:19 AM

This ain't free but I just jumped on SSLmate. 16USD = almost free (includes renewals).

check it out... they let you automate the whole shebang with one command (sslmate buy example.com). 60 seconds later I'm done. Works like a freaking charm.
They also have some awesome testimonials (e.g. the guy who discovered BEAST and POODLE) from security guys I've heard of so you know its totally legit.

https://sslmate.com/demo#video

Ironically I only went down this path after being browbeaten by startcom's obscure website and trying to remember the exact commands to renew my cert (is a renewal the same as applying again? what are the rsa generation commands again? where is my client cert to login to the bloody portal? why isn't windows importing it properly, or is it PEKCAB? AAARGH) but I tried sslmate and literally its as easy as the demo (then copy the files over and restart apache)

deanwebb · May 01, 2016, 07:19:39 AM

16 bucks for renewal is good. "Free" certs have a habit of becoming very un-free after 90 days. If cheap stays cheap, awesome. I've been wanting to SSL up the place for some time.

Dieselboy · May 01, 2016, 08:37:02 AM

I've been using startSSL for over a year now. Renewing a bunch of certs recently was easier than initially getting the certs. Because their old website was not clear when you submitted the CSR so I ended up with certs made with the CN being slightly different and that meant totally wrong. I'm actually using the certs for my CUCM/IMP set up to get rid of the cert warnings. The new website is way better and easier to use. I've had them applied for over a year now.

Regarding the browser client cert, mine expired the other day and renewing it was pretty easy.

I have an "infrastructure" folder and I have everything organised in there so the browser cert is always easily reachable for me

But like you say wintermute about the browser cert, I couldn't log in with Chrome after importing the new cert. I assumed I needed to close chrome completely to get it to pick up the cert. But I think I just used IE in the end because I avoid using that as a browser as much as possible these days. I usually have a a zillion Chrome windows open. I need 16GB RAM just for the amount of browser windows I have open

wintermute000 · May 01, 2016, 04:39:17 PM

Just watch that demo. You'll be ponying up right away, it's like magic

Dieselboy · May 01, 2016, 11:52:33 PM

Quote from: wintermute000 on May 01, 2016, 04:39:17 PM
Just watch that demo. You'll be ponying up right away, it's like magic

The OP I made with the Lets Encrypt link is supposed to work this way too and it's free. But I've not tried it yet.