Page 1 of 1

StartCom certificates distrusted

Posted: Mon Apr 17, 2017 12:12 pm
by kc9uhi
This site (and my other projects) used free SSL certificates from StartCom (aka startssl). Beginning last fall, Google, Apple, Mozilla, etc began distrusting the StartCom root certificate -- https://security.googleblog.com/2016/10 ... rtcom.html. This results in SSL certificate validity errors when opening this and other web pages.

This isn't a high-level commerce, banking, personal info, etc. site, yet I still wish to offer a SSL connection for users. Purchasing SSL certs for $$ annually isn't a viable option, so I opted for a self-signed certificate, which is used across the kc9uhi.net domain.

This offers two options to users -- click through the "certificate validity" / "non-trusted" errors, or install the kc9uhi-ca root certificate.

To install the root certificate, download it at http://qth.kc9uhi.net/ca.crt and use your operating system's certificate manager to install it in an appropriate trusted certificate store. Alternatively, download the zip file of certificate and one-line batch file to install the certificate for you -- http://qth.kc9uhi.net/ca.zip.

Re: StartCom certificates distrusted

Posted: Mon Apr 17, 2017 9:19 pm
by kb9mwr
10-4

Since you started doing SSL, it seems getting free certificates is a bit more common placed. I assume you already know about:

https://certbot.eff.org/

Re: StartCom certificates distrusted

Posted: Fri Aug 11, 2017 12:26 am
by kc9uhi
Switched to Let's Encrypt / certbot

Most of my internal stuff still runs on kc9uhi-ca certs, but I think I've got the public stuff switched over.