StartSSL Certs – Great free certs, and even better SAN and Wildcard Certs

This morning I read on Rajith Enchiparambil’s twitter (@rajithe) about the free StartSSL certificates from StartSSL. I’ve been meanin to mention them for a while, as I’ve too been using them in my lab rather successfully.

So, the free certificates…

First of all, I’d like to elaborate on what the free “class one” certificates give you. You get a basic two-name SAN certificate with the following names:

  • Your domain name
  • The server FQDN

For example – mail.exchangelabs.co.uk and exchangelabs.co.uk. While that’s not as good as a full SAN certificate it can fulfil the basic core requirements for Exchange. You’ve got a name to use for your CAS namespace, and the ability to use it for AutoDiscover using the first-attempted https://domainname.co.uk/AutoDiscover/AutoDiscover.xml URL. An example of the free cert looks a little like this:

image

What’s the support like amongst browsers and mobile devices?

The first question anyone would have when using one of these certs is what’s the support like? If it’s not supported on nearly all your devices, it’s a waste of time – you may as well use your own private CA. The good news is the cert support is pretty good. I’ve tested it successfully against the following browsers, devices and services:

  • Internet Explorer (XP SP2 onwards, IIRC)
  • Firefox
  • Google Chrome
  • Safari
  • iPhone
  • Android
  • Office 365
  • Exchange Remote Connectivity Analyser

I’ve had varying success with Windows Phone, as I don’t have one to test against. On a pre-mango device I did need to import the root certificate, though.

Want to test the support for yourself? Visit https://mail.exchangelabs.co.uk/owa and have a try from your device or browser of choice.

SAN and Wildcard certificates

After a few months of using the free certificates, and working around their limitations I needed to do some testing that’s more in parity with customer environments, namely TMG fronting Exchange and ADFS. So, I bit the bullet and decided to upgrade to “Level 2”. This gives you the following of interest:

It’s not free, but it’s pretty cheap compared to the cheapest I recommend to customers, CertificatesForExchange.com (who I still recommend for production certs) at $59.90 or in UK money, a mere £37. Along with payment, you’ll also need to do the following:

  • Send a photo of your passport
  • Send a photo of your driving licence
  • And in my case, they asked for a copy of my phone bill to confirm my address and phone number.

A few hours after sending the correct docs, I was granted “Level 2” access and able to create Wildcard and SAN certs.

You’ll see here a sample Wildcard cert (or check out https://www.stevieg.org to see a live one):

image

And below a SAN cert which I’ve added a few domains for Exchange and ADFS:

image

Caveats?

Only caveat I can think of is when you create your account, you’ll need to set up certificate authentication to the StartSSL website. This is a browser-driven process and isn’t much hassle, and naturally is more secure than simply a username and password.

What you should do however is ensure you back-up the private key and certificate, perhaps by exporting it as a PFX from the Certificates Snap-In. You’ll find it under Personal certificates:

image

Hope you find this useful, and have fun with the free and nearly free certificates Smile

Steve

3 thoughts on “StartSSL Certs – Great free certs, and even better SAN and Wildcard Certs

  1. Iv been using StartSSL for some years now for ‘free’ digital ID’s. Their service is much easier to use than Comodo who also offer ‘free’ certs.

Leave a Reply