7
4
I have a sub domain from no-ip.org. I would like to get a free SSL certifcate for my domain. Is this even possible to do for a subdomain and if so what are my options?
Sab
Posted 2012-05-29T04:55:01.433
Reputation: 121
Getting a free SSL certificate for a subdomain
Answers
10
There are at least three options for using a certificate with a web or mail server:
Option 0: Obtain a certificate from Let's Encrypt
Let's Encrypt may be a way for you to have free, browser-trusted SSL certificates. This is a new option since this question was asked.
Let's Encrypt works a little differently than other CAs. You install a small agent on your server, and it renews your certificate automatically every few months.
I can't quite tell if this option works yet, because there are a few GitHub issues discussing a change to allow No-IP domains to work with their service:
Even if this doesn't work today, keep an eye on it, because it seems it will be ready soon.
Option 1: Obtain an SSL certificate signed by a certificate authority (CA)
The advantage of using a certificate signed by a CA is that your visitors will automatically trust your certificate. Operating systems and web browsers ship with a list of trusted root certificates, and only certificates signed by those trusted certificates are considered trusted by default.
The disadvantage is that most of the CAs included with major operating systems and browsers charge money for their services.
CAs do offer certificates for subdomains; however, they generally have some sort of simple verification process to prove you have control of that subdomain. Different CAs may have different policies about issuing certs for subdomains of no-ip.org and other dynamic DNS providers.
A small list of potential CAs you might investigate are:
Option 2: Obtain an SSL certificate from a web-of-trust provider
The only web-of-trust provider I'm aware of is CAcert.org. This is a certificate authority that provides free SSL certificates. However, the certificates do not verify anything about your domain until enough other CAcert.org users have verified your identity. Once you've earned enough "assurance points", you can add a name to your certificate and have longer expiration dates.
However, I don't believe CAcert.org's root certificate is included in most browsers by default. Your visitors will need to install this root certificate or else they'll get the Scary Certificate Warning:
Option 3: Generate a self-signed certificate
If you really cannot purchase a certificate, you can create a self-signed certificate. This doesn't require any CA, but others computers will not automatically trust your certificate. Guests visiting a website secured by a self-signed certificate will receive the Scary Certificate Warning.
Depending on your system, there are different ways to do this. If you are using OpenSSL, you can use the instructions provided by Akadia.com:
# Generate a private key
openssl genrsa -des3 -out server.key 1024
# Generate a certificate signing request (CSR)
openssl req -new -key server.key -out server.csr
# Generate the self-signed certificate
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
You would then install server.cst in your web server of choice.
Stephen Jennings
Posted 2012-05-29T04:55:01.433
Reputation: 21 788
Basically, we have to pay a CA to be visible on the internet... Are browser vendors paid by CAs to refuse to trust non CA certified certificates? Why would browsers not accept Option 2 root certificate otherwise? – Shautieh – 2016-09-09T09:32:45.620
@Shautieh Inclusion in a browser's root CA list grants tremendous power because an insecure or malicious CA threatens the security of all websites. So, the browser vendors have to make a critical decision: What CAs should be trusted by everyone? According to this ticket, CAcert did not pass an audit, so their request to be included in Mozilla was rejected. This is Mozilla's inclusion policy, to see how seriously they take this decision.
– Stephen Jennings – 2016-09-09T15:46:56.273Only the security of the websites which use this particular insecure CA... Quoting this article http://byuu.org/other/ssl/#2238770713 : "There's said to be auditing in place. But clearly, said auditing doesn't work all that well. Both DigiNotar and CNNIC have been caught issuing rogue certificates for Google's domains. And both of them remain in your trusted root CA list to this day." What do you think of this guy's critic?
– Shautieh – 2016-09-10T12:58:16.973@Shautieh DigiNotar is not included in root CA lists anymore. If it's listed, it's in the "explicitly distrusted" list. The CNNIC problem apparently only affects certs after April 1 2015, so that's what Mozilla distrusts. Sources: Mozilla removes DigiNotar, Mozilla distrusts newly-signed CNNIC certs (there are similar notices for other root CA lists, Mozilla is just the easiest to find)
– Stephen Jennings – 2016-09-12T02:54:04.363@Shautieh Since a root CA can sign certificates for any domain, a compromised CA affects all domains, not just the ones who purchased certs from them. DigiNotar was able to create valid, trusted certificates for google.com, even though Google (probably) never purchased certs from them. – Stephen Jennings – 2016-09-13T04:56:20.207
So are there no free ssl certifiactes for subdomains – Sab – 2012-05-29T05:18:40.840
@Sab: Self-signing a certificate is free, but isn't trusted by browsers by default. This is a trade-off you must make. A CA getting their root certificate included with browsers is expensive; I'm not aware of any who bear that cost without charging customers for that service. – Stephen Jennings – 2012-05-29T05:27:07.960
Okay. I guess i have to figure some other way. – Sab – 2012-05-29T05:53:26.773
1
You can get a free certificate for subdomains for 90 days from Comodo SSL. This is the only one I've found that is provided by a ubiquitously trusted certificate authority, free, and valid for subdomains. I've personally used it with my free domain provided by no-ip. Unfortunately it's only valid for 90 days, after that it's $100/year (or less for a multi-year commitment).
drs
Posted 2012-05-29T04:55:01.433
Reputation: 1 644
1When I try this approach, it tells me that an account already exists for the domain above mine (e.g. I try to send a CSR for michael.example.com, which I own, and it tells me an account already exists for example.com, which I do NOT own.) – Michael – 2014-12-31T18:33:24.973
@DavidSchwartz And how exactly are you supposed to get a provider such as dyn.com to fill out such a letter for you? (Also, StartCom won't do this for the level1 [free] cert) – Michael – 2014-12-31T18:25:18.650
@Michael I believe dyn.com partners with DigiCert. – David Schwartz – 2014-12-31T18:36:26.140
@DavidSchwartz Good to know. Unfortunately, it appears that they charge WAY more than I'm willing to pay... almost 20x what I pay yearly for my DNS name. – Michael – 2014-12-31T18:40:11.870
Can you clarify what you mean by a "sub domain"? Do you mean something like "example.com" that's registered to you and owned by you? Or do you mean something like "moose.example.com", where someone else owns "example.com" and lets you have use "moose" without actually owning anything? If the former, you can get free SSL certificates. If the latter, you probably can't get them at any price. (Since you don't own anything and SSL certificates prove ownership.) – David Schwartz – 2012-05-29T06:13:25.843
its the latter. – Sab – 2012-05-29T06:32:16.543
Then you need to get a "real" domain and use a
CNAMEentry to point it to the "borrowed" domain. Then you can get a free SSL certificate for the "real" domain -- since you can prove you own it. – David Schwartz – 2012-05-29T06:52:26.477Actually, StartCom will issue a certificate under these circumstances so long as the domain owner submits an authorization letter that they can verify.
– David Schwartz – 2012-05-29T08:00:46.567