How to order a free SSL certificate? What do you need to get

Hello, Habr. This post is intended for lovers of freebies and contains a ready-made recipe for obtaining a domain name, DNS server services and an SSL certificate with a cost of 0 rubles 0 kopecks. Free cheese only comes in a mousetrap and this is true, so this recipe is more likely for those who want a beautiful link to their personal small project with https support and not for serious projects.

Domain name

We go to the website www.registry.cu.cc, there we immediately enter the desired name and click check availability => checkout if the desired name is available. After which we register and go to our personal account where we see our domain names.

img1

img2

We find the desired name, go to Nameserver and register Yandex DNS there.

img3

img4

DNS server

Next, go here pdd.yandex.ru/domains_add and add the newly created domain name.

img5

We see that “The domain could not be found in DNS,” we wait until Yandex finds it.

img6

Then we confirm ownership of the domain by adding the corresponding CNAME record as written in the detailed Yandex instructions. Then we wait until Yandex finds the record it needs and confirms ownership of the domain. It may take quite a long time.

img7

img8

img9

After which we see the long-awaited inscription that the domain is connected and delegated to Yandex DNS.

img10

Next we go to DNS Editor and add an A record linking the domain name to the IP address of your server.

img11

It may take quite a long time for this A-record to take effect. Let's run something locally (after all, we have registered the server address 127.0.0.1) and see how our domain will be resolved. Works!

hooray!

That’s all with the DNS server, now let’s get on with obtaining an SSL certificate and provide access to our server via https (security comes first).

SSL certificate

Go to www.startssl.com/Validate, register, select Validations Wizard => Domain Validation (for SSL certificate), enter our domain

img12

And there we are asked to prove that we own a domain using e-mail, choose any one we like, create it in Yandex. We send a letter there, take the code from there and prove that the domain belongs to us.

img13

img14

img15

Then we go to Certificates Wizard => Web Server SSL/TLS Certificate, indicate our domain, generate and insert a key and press submit

img16

The key can be generated like this:
mkdir ./certificates mkdir ./certificates/habr.cu.cc cd ./certificates/habr.cu.cc openssl genrsa -out ./habr.cu.cc.key 2048 openssl req -new -sha256 -key ./habr. cu.cc.key -out ./habr.cu.cc.csr cat ./habr.cu.cc.csr
Certificate received! Download our archive

img17

Unpack and copy the key files to the nginx directory

Cp ~/Downloads/habr.cu.cc/1_habr.cu.cc_bundle.crt /usr/local/etc/nginx/1_habr.cu.cc_bundle.crt cp ./habr.cu.cc.key /usr/local/etc /nginx/habr.cu.cc.key nano /usr/local/etc/nginx/nginx.conf
Let's edit the config a little

Server (
listen 8080;
ssl on;
server_name localhost;
ssl_certificate /usr/local/etc/nginx/1_habr.cu.cc_bundle.crt;
ssl_certificate_key /usr/local/etc/nginx/habr.cu.cc.key;

Restart nginx

Nginx -s stop nginx
We open our page using https... and everything works!

hooray!

We received a domain name, DNS server services and a verified SSL certificate without paying anyone a penny, and at the same time completely legally. To launch our ultra-mega-giga service, all that remains is to install a VPS and deploy our program there. Alas, today a free VPS is too good and unrealistic; you still have to pay for a VPS server with bloody dollars from your own pocket. But nevertheless, have a good weekend everyone and I hope this note will be useful to someone.

When an attacker tries to access your site, it can be spoofed even if the user entered the domain name correctly.

SSL certificates eliminate the possibility of such substitution - by viewing the certificate, the user can make sure that the domain hosts exactly the site that should be there, and not a duplicate of it.

Additionally, an SSL certificate allows the user to verify who the owner of the site is. This means that the user can make sure that he has visited the website of the organization he needs, and not the website of its double.

Another important function of SSL certificates is to encrypt the Internet connection. An encrypted connection is necessary to prevent the possible theft of confidential data while being transmitted over the network.

We recommend installing SSL certificates in the section of the site where users enter confidential data, for example, on the authorization and payment pages. The presence of a certificate on a website protects it from possible counterfeits, since the user can always make sure that the website is genuine and check who it belongs to.

For security reasons, the SSL certificate is not transferable to another contract.

You can check the ownership of the domain in the certificate order through the email specified for the domain in the Whois service. To do this, you need to contact the domain registrar and register any email for it in the Whois service. If the domain is registered in RU-CENTER, then to do this, enter your email in your personal account:

Select Services → My domains.
Click on the domain name as an active link.
In line Description in Whois click link Change.
Enter your email and click the button Save changes. After this, notify us of the actions taken at .

If you generated a request for a CSR certificate in your RU-CENTER personal account (the “create CSR” option was selected), then the private key was automatically saved on your computer with the file name privatekey.txt. Try searching on your computer. Without saving the file, you would not be able to proceed to the next step when submitting your certificate order. If the request for a CSR certificate was generated on your server or from a third-party hosting provider, then the private key is located on the server or the provider, respectively. If the private key is lost, you need to do it - it's free.

Visit the website https://www.upik.de.
Choose language English.
Click the link UPIKR-Search with D-U-N-SR number.
In field D&B D-U-N-SR Number enter the DUNS number.
In field Select country Choose the country.
On the company card that opens, you can check the presence of a phone number in the field Telephone number.

If the telephone number is indicated incorrectly or is missing, contact the Russian representative office of DUN&BRADSTREET - Interfax company, and enter or correct the telephone number in the company card. After making changes, the phone number on your DUNS will only appear after 7-30 calendar days.

To change the list of domains covered by the certificate, you must re-create the CSR and go through the procedure of re-issuing the certificate:

1. In section For clients → SSL certificates and select the required certificate.

3. If you want to create a CSR during the order process - click Continue.If you will use your CSR, enter it in the field that appears. Creating a CSR to install a certificate on Microsoft IIS is described in separate instructions - they will open when you select this option.

4. Make changes to the list of domains and click Continue.

5. Enter your contact information and click Continue.

6. Save the private key - you will need it to install the certificate on the web server. Click Continue.

7. Check the correctness and click send an order.

SSL certificates are issued for a period of 1-2 years.

If an organization orders a certificate for a domain that does not belong to it, then it must provide a letter from the domain owner with permission to issue a certificate. The letter template will be sent by the certification center to the contact email address of the certificate customer.

The certificate can confirm the presence of domain management rights, that is, it can certify only the domain. Such certificates belong to the category. By viewing the DV certificate, the user can make sure that he is really on the site whose address was entered in the browser line, that is, that when accessing the site, the user was not redirected by attackers to a fake web resource. However, the certificate does not contain information about who owns the site - the certificate will not contain information about its owner. This is due to the fact that in order to obtain a certificate, the customer does not need to provide documentary evidence of his identification data. Therefore, they may be fictitious (for example, the person requesting the certificate may impersonate another person).

A certificate can confirm the existence of rights to manage a domain name and the existence of an organization that has these rights, that is, it can certify the domain and its owner. Such certificates belong to the category. By viewing the OV certificate, the user can verify that he is really on the site whose address is entered in the browser line, and also determine who owns this site. To issue this certificate, the customer must document his identification data.

When an attacker tries to access your site, it can be spoofed even if the user entered the domain name correctly.

For security reasons, the SSL certificate is not transferable to another contract.

Select Services → My domains.
Click on the domain name as an active link.
In line Description in Whois click link Change.
Enter your email and click the button Save changes. After this, notify us of the actions taken at .

Visit the website https://www.upik.de.
Choose language English.
Click the link UPIKR-Search with D-U-N-SR number.
In field D&B D-U-N-SR Number enter the DUNS number.
In field Select country Choose the country.
On the company card that opens, you can check the presence of a phone number in the field Telephone number.

To change the list of domains covered by the certificate, you must re-create the CSR and go through the procedure of re-issuing the certificate:

1. In section For clients → SSL certificates and select the required certificate.

4. Make changes to the list of domains and click Continue.

5. Enter your contact information and click Continue.

6. Save the private key - you will need it to install the certificate on the web server. Click Continue.

7. Check the correctness and click send an order.

SSL certificates are issued for a period of 1-2 years.

An SSL certificate (from the English Secure Sockets Layer) is a protocol for encoding data that goes from the user to the server and back.

How does an SSL certificate work?

The server has a key with which any data exchanged with the user is encrypted. The user's browser receives a unique key (which is known only to it) and thus a situation arises where only the server and the user can decrypt the information. A hacker can certainly intercept the data, but it is almost impossible to decrypt it.

Why does a website owner need an SSL certificate?

If your site requires registration for users, online purchases, etc., then an SSL certificate will be a good signal to the user that your site can be trusted. Today, many users do not know about this, and without hesitation they transfer their credit card information to various sites. But in the future there will be fewer and fewer such people, because... after the first loss of money from a card, a person immediately thinks “what needs to be done so that the money does not disappear?”, “which sites can be trusted?”. As a result, a secure connection is indicated by the presence of the https:// protocol in the site address or this type of address bar in the browser.

How to get an SSL certificate?

SSL certificates are issued by special certification authorities; the most popular in the world are Thawte, Comodo, and Symantec. But they all have an English-language interface, which creates certain inconveniences for domestic users. Therefore, now there are a lot of companies that act as intermediaries and sell SSL certificates. Large hosting companies and domain registrars do the same. We recommend purchasing certificates from high-quality hosters or domain registrars. Better yet, buy them from the company with which you registered your domain. As a rule, these companies cooperate with certification centers and, due to volume, have a significant discount. Therefore, the final price for you most likely will not change.

What types of SSL certificates are there?

First level

As a rule, such certificates are purchased if there is no need to confirm a company (or there is no company at all, and the site belongs to a private person), but only a secure connection is needed.

The cheapest
Delivery time: several hours
They confirm the rights to the domain, but do not confirm the company
For legal entities, individuals and individuals
No documents needed

Average level

Such certificates can already confirm the company of the domain owner, which creates more trust among site visitors. After all, the company’s documents are checked by a certification center, which should inspire maximum user confidence. In this case, the site address in the browser is highlighted in green.

average cost
Delivery time: within a week
Verify the company that owns the domain
Only for legal entities
Documents confirming your company and its address are required

high level

These certificates have all the indicators of the Average level, but their price is more expensive due to the marketing game of certification centers. So, for example, you can use them not only on the main domain, but also on subdomains (for example, forum.mysite.com, etc.), or users with outdated browsers will be able to use a secure connection. The maximum certificate registration period also depends on the certificate level. As a rule, it is 1-4 years from the date of issue.

How much does an SSL certificate cost?

The price ranges from 30 to 1200 US dollars per year. But there are also free options, in the form of free options, although their use is not entirely convenient.

What do you need to get?

For low level certificates

e-mail (it must belong to your site, for example, for the site mysite.com the email can be [email protected]
Name or organization
Address

For higher level certificates

This is where the organization is checked, so to what is listed above you will have to add:

Telephone
Documents confirming the organization (company registration number or similar documents). In general, for each country the list
documents are different, but be prepared for a serious check, to the point that you will have to send a copy of the contract for the provision of communication services in order to confirm the phone number. Sending scanned copies of documents is possible by fax and email.

Also, to obtain an SSL certificate, the domain must have WHOIS-Protect (hiding domain data) disabled. Today this rule does not apply only to domains.ru and.рф. And yet, CSR generation is mandatory.

What is CSR?

CSR (Certificate Signing Request) is an encrypted request that must be attached to the application sent to the certification authority. This request must be generated on the server on which your site is located. The CSR generation process depends on the server, or more precisely on the software that is installed on it. If you buy a certificate through the hosting company where your site is located, then most likely you will be presented with a convenient interface for generating CSR. If it is not there, then we will tell you how to do it for the most common server software (Linux\Apache).

How to generate CSR?

1. Connect to the server via SSH connection

Using the program PuTTY. At the command line enter:

openssl genrsa -out myprivate.key 2048

This way we generate a private private key for the CSR. In this case, two questions will be asked: “Enter pass phrase for private.key” and “Verifying - Enter pass phrase for myprivate.key” - this is a request to enter the password for the key twice. It is important that you remember it, because... will be needed in the next step. As a result, the myprivate.key file will be generated.

2. Generate CSR

Enter the command:

openssl req -new -key myprivate.key -out domain-name.csr

Just change domain-name to your domain name. Then, in response to the question “Enter pass phrase for myprivate.key,” enter the password that we set in the previous step.

After that, fill in only in English letters:

Country Name - Country code in ISO-3166 format (we need a two-letter code, take it from the Alpha-2 column);
State or Province Name: Region or region\state;
Locality Name: City;
Organization Name: Organization;
Organizational Unit Name: Department (optional);
Common Name: domain name;
Email Address: your email (optional field);
A challenge password: (no need to fill in);
An optional company name: Another name of the organization (does not need to be filled in).

All data that is entered must be truthful and match those that you filled in when registering the domain (you can check them through WHOIS services). As a result of these operations, a domain-name.csr file will be created on the server. It must be saved and then attached to the application for an SSL certificate, which is submitted to the certification authority.

What to do after receiving an SSL certificate?

After receiving the certificate, you need to install it on the server. The installation process is fairly simple, but varies greatly depending on the server software. Therefore, look for instructions on the hosting provider’s website, or even better, contact technical support to set everything up correctly.

What to do if the organization’s data has changed or the hosting has changed?

In such cases, you need to reissue the SSL certificate, but this should be done at no cost to you.