a bit more than 2 minutes to read!
It’s not a secret that SSL certificates can dramatically improve web-site SEO ratings in search engines like Google. Today we’ll learn how to obtain and fine-tune a free SSL certificate from the Chinese vendor WoSign, so that it actually works and you don’t get this annoying “certificate not recognised” warning. We’ll be using Wavecom hosting (https://www.wavecom.ee/en), but the instructions are very similar for any hosting using CPanel.
Step 1: fill in a certificate request form at https://buy.wosign.com/free/
Simply follow the step-by-step instructions on the page. Make a good note of your certificate password as it will be needed later in order to retrieve it.
You’ll need to have access to either webmail or root server directories of every domain you’re obtaining certificates for, so you can upload the checksum files and confirm domain ownership.
Once your certificate is ready, a download link will be e-mailed to you – you’ll have to use the certificate password entered earlier to both download and unzip the certificate archive. Here’s what its’ contents should look like:
Wavecom servers are running Apache, so it’s the only one we’re going to need for now.
Step 2: access CPanel to upload your certificates.
Login using the credentials provided.
Under the Security tab choose SSL/TLS.
Then choose Certificates (CRT) and upload “1_root_bundle.crt” and your obtained domain certificate(s) one after another from “for Apache.zip”.
After that go to SSL/TLS >> Private Keys >> Upload a New Private Key. and upload the .key file(s) from the WoSign Apache archive.
Step 3: creating a OCSP stapling-enabled CA bundle for free WoSign certificates.
Firstly, obtain certificates from the links below:
Then put them together in one file (make sure to keep the same order) using any text editor (let’s call this file “ca-certs.pem”, but the name doesn’t really matter).
Note that ca1g2-server1-free.cer and ca6.server1.free.cer are provided in DER/Binary format and you need to convert them to PEM in order to put them in one bundle. You can easily do this using the free online conversion service at https://www.sslshopper.com/ssl-converter.html:
Once you have your bundle ready, go to SSL/TLS >> Private Keys >> Install and Manage SSL for your site (HTTPS) in CPanel and under the Install an SSL Website tab choose Browse Certificates:
Select the certificate you wish to install (we already uploaded them in Step 2, so they should be visible – if not, go back and re-upload them) and the server should automatically fill in the Certificate (CRT) and Private Key (KEY) fields for you. Then scroll down to Certificate Authority Bundle: (CABUNDLE) field and paste the contents of “ca-certs.pem” that we created earlier. If everything’s fine with the bundle, there won’t be any warning messages, otherwise “The CA bundle is invalid.” warning may appear, in which case you need to check the bundle for consistency and possible errors.
After that simply press the Install Certificate button and enjoy the result. This should enable OCSP stapling as well, but be sure to check at https://www.ssllabs.com/ssltest/ — usually the rating awarded would be A or A+, but it depends on the individual server settings.
This is about it, really. Feel free to send us your feedback on how we can imrove this process for other hostings and certificate providers.