[openssl-users] Use of openssl
noloader at gmail.com
Tue Oct 25 22:04:39 UTC 2016
> I've a free certificate from startssl for my email address. Now I would
> like to create a certificate for one of my internet domain. How can I do
> that? Can I use openssl? Is there a free service like cacert.org that allow
> to deploy free class IV certificates that are recognized?
> Sorry for my poor question. Thank you for your reply.
The three free services I am aware of are (1) CaCert, (2) StartCom,
and (3) Let's Encrypt.
CaCert is kind of dead because their roots are still using MD5. Nobody
trusts them, especially after Flame and Stuxnet.
StartCom has directions on their website. I don't recall what the
process is, but I've used it in the past. You might want to review the
instructions StartCom provides.
Let's Encrypt is new and has become very popular. I don't know the
process because I have never used them. They will likely suffer more
"unable to get local issuer certificate" problems than StartCom,
especially on older mobile devices.
You can ask users to install the Let's Encrypt Root CA to overcome the
"unable to get local issuer certificate" problem. Asking users to do
anything is usually a slippery slope, and it will probably create user
grief and generate support emails.
More information about the openssl-users