StartSSL provides free SSL/TLS certificates for web servers, and it also installs a Class 1 Client certificate into your browser to authenticate yourself to its own site.
This article is all about how to install the Class 1 Client certificate into Google Chrome, especially when Chrome does not accept the certificate automatically, as happened to me when an old certificate expired.
I'll be signing up under the dummy address website@nick-andrew.net to demonstrate the process.
At this point, Chrome is supposed to import your client certificate and you can be on your way. Certainly at this point if I was using Firefox, then Firefox has installed the certificate, and a box appears with a "Login Now" button. But it doesn't happen for me, on Chrome version 50.
So I'm going to set it up the hard way.
At a shell prompt, do this:
$ openssl req -newkey rsa:2048 -keyout website.key -out website.csr Generating a 2048 bit RSA private key ..............+++ ...............................................................+++ writing new private key to 'website.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:website@nick-andrew.net Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: $ cat website.csr | xclip -in
Make sure you enter website@nick-andrew.net in the Common Name field.
$ unzip website%40nick-andrew.net.zip Archive: website%40nick-andrew.net.zip inflating: 1_Intermediate.crt inflating: 2_website@nick-andrew.net.crt
To import a certificate, Chrome needs a file in PKCS12 format. The magic command to make that is:
$ openssl pkcs12 -export -inkey website.key -in 2_website@nick-andrew.net.crt -out certificate.pkcs12 -name "StartSSL cert for website@nick-andrew.net" -certfile 1_Intermediate.crt Enter pass phrase for website.key: Enter Export Password: Verifying - Enter Export Password:
Finally, you can import the certificate.pkcs12 file into Google Chrome. Go to chrome://settings and click on "Show advanced settings". Then click on "Manage certificates..."
In the "Your Certificates" tab, select "Import..."
Select "certificate.pkcs12" and enter the Export password you used.
At this point, Google Chrome has successfully imported the certificate, and it can be used to authenticate to StartSSL the next time you visit the site.
