Using a StartSSL Server Certificate with Journey

Micah Nordland edited this page Feb 5, 2016 · 3 revisions

Running Journey using the automatically generated SSL certificate is fine for testing purposes. But once you are running Journey in production, you want a certificate signed by an authority that's trusted by browsers and operating systems.

Unfortunately, that'll cost you at most places. Comodo for example charges $100 for a certificate that's valid for one year. The Internet Security Research Group is working on fixing that, but at the time of writing that certificate authority isn't available. Let's Encrypt is now open for anyone to use. Learn more at https://letsencrypt.org

An alternative is StartSSL. StartSSL will issue a certificate for your domain that's valid for one year, free of charge. You will still have to pay them to revoke the certificate should something like Heartbleed happen again, but for now it's your only shot at a free and widely trusted server certificate.

Sign up with StartSSL and generate the server certificate and private key for your domain. Read the instructions carefully or consult one of the many tutorials out there that show you how to use StartSSL.

In the following, we will assume you saved the server certificate as "cert.pem" and the private key as "key.pem".

Your server private key might be protected by a passphrase. Check by opening "key.pem" in a text editor. If it is indeed encrypted, you'll see something like this at the top:

Proc-Type: 4,ENCRYPTED

To remove the passphrase from your private key, use this OpenSSL command:

openssl rsa -in key.pem -out key_unencrypted.pem

Finally, you'll need to append the StartSSL Intermediate CA and the StartSSL Root CA to "cert.pem".

Download the "Class 1 Intermediate Server CA" and "StartCom Root CA (PEM encoded)" from the StartSSL Tool Box (Log In > Tool Box > StartCom CA Certificates) and place the files into the same folder as your "cert.pem". Using Linux or Mac OS X, run:

cat cert.pem sub.class1.server.ca.pem ca.pem > cert_combined.pem

Using Windows, run:

type cert.pem sub.class1.server.ca.pem ca.pem > cert_combined.pem

Now take "cert_combined.pem" and "key_unencrypted.pem", rename them to "cert.pem" and "key.pem", and place them in your-journey-folder/content/https/.

That's it! Run Journey as you normally would and your StartSSL certificate will be used automatically.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.