I’ve been using free SSL server certificates from StartSSL.com for many years. These are legit, free, certificates that last for a full year, not those 1-week trial sort of free certificates. This is, of course, before the time of Lets Encrypt, so StartSSL.com’s deal was quite cool.
StartSSL.com does have some unusual workflow, and a website UI that wasn’t too friendly. Some people were a little put off by it, but not me. Free was really nice. I used StartSSL.com’s service until last year, when I started to take an interest in ECDSA-based certificates, and found that they were unable to support these newer, though not that new, type of certificates. I was a little disappointed then. I ended up going with Comodo when I had to renew the SSL server certificate for ZitSeng.com. It was free too, as I somehow had a free credit from some promotion.
The SSL server certificate for another of my websites was up for renewal recently, and I looked up StartSSL.com again. They have a new, modernised, better looking, web interface. I didn’t see any mention about having ECDSA support, but well, no harm trying right? It’s free. Unlike other paid services, you’ve got to fork out money first, upload your CSR, then find that ECDSA isn’t supported.
So, long story short, StartSSL.com now supports elliptic-curve public keys, and will generate ECDSA-based certificates.
In case you need some help, here’s how you generate your keys:
$ openssl ecparam -out server.key -name secp384r1 -genkey
There is how you generate your CSR, which you upload to the certificate authority:
$ openssl req -new -key server.key -out server.csr
That’s it. StartSSL.com generates your certificate immediately, and you can then go install the same way you had done before.
You can read my earlier post to understand why Elliptic Curve Cryptography (ECC) keys and ECDSA-based certificates are superior than the more common RSA certificates.
Let’s Encrypt, incidentally, still doesn’t seem to have ECDSA support. It’s a pity.