WoSign: Free 2y multi-domain SSL certificate (SAN/UCC)
2015-02-01 Update 2015-02-12: New SHA2 intermediate cert and application form in EnglishChinese CA WoSign issues free multi-domain SSL certificates valid for 2 years.
Free SSL certificates? – That’s old news…
Since many years we have the great free StartSSL certificates. They are valid for one year and include both the domain and the www subdomain.
Since October 2014 another free option for enabling HTTPS on your website is CloudFlare, where you don’t get the key yourself but use their free CDN to terminate SSL connections.
Starting in mid 2015 we will have Let’s Encrypt, a free certificate authority issuing certificates automatically via a script on the webserver.
There is CaCert as well, but since they never passed an audit and they are not included in any important certificate store by default they are unfortunately not an option.
New player: Chinese WoSign
So now there is another option: The Chinese CA WoSign offers free SSL certificates which are valid for 2 years and may contain up to 100 domains each (multi-domain/SAN/UCC) which is very useful to host various domains on one single IP address (Better option than SNI if you still have Windows XP clients). Before you stop reading because you don’t trust a Chinese company for your website encryption please keep in mind that you don’t have to trust them at all! You generate the SSL key on your server and only send them the CSR (certificate signing request) which doesn’t contain any private information.
How to get the certificate
As of February 10, the order process is finally available in English as well, so no quirky Chinese-to-English translation necessary anymore.
- Visit https://buy.wosign.com/free/
- Enter the domain(s) that should be included in the SSL certificate in the first textbox, one per line. If you just enter “example.com”, you will get the subdomain “www.example.com” automatically.
- Leaving the defaults is generally recommended: 2 year period, English language and SHA2 algorithm
- Verify the domain(s) via either email to a special email account or via a special file you have to upload to http://example.com/example.com.html
- Login to your webserver via SSH and generate a new SSL key and a Certificate Signing Request (CSR), for example with this command:
openssl req -out example.com.csr -new -sha256 -newkey rsa:2048 -nodes -keyout example.com.key
- Select “Option 2: Generate by myself” to paste the CSR you just generated. You should never use the first Option since that implies that you are not the sole owner of your SSL key
- Enter your email address and select a new password if you don’t have a WoSign account yet.
- Enter the captcha code, confirm the terms and conditions and Submit the request
- The next page will confirm the request and show an estimated time of delivery. Keep in mind that the certificates are manually reviewed during Beijing-time business hours so it might take a few hours until you get the certificate
- Next you will recieve an email with a link to a ZIP file containing your certificate. The correct order of the English certificates is like this:
your-domain.com.crt -> ca1_dv_free_2.crt -> ca1_xs_sc_2.crt
- Make sure to test your implementation on the awesome Qualys SSL Labs server test
Further notes on WoSign:
- In the ordering process you can choose between “Chinese language certificate” or “English language certificate”. The Chinese one is signed by a certificate with the name CA 沃通免费SSL证书 G2 with the fingerprint 4f9aacdaf4deef282d6c5be28181abca2844664b (see for example romanrm.hk (on SSLlabs) and the English one by the certificate WoSign CA Free SSL Certificate G2 with the fingerprint f4db6d0281f204d36e2d2fbfa72f7940ed9d1adc (see for example checkmyping.com (on SSLlabs).
- Current inclusion status in major CA certificate stores:
- Included by default in NSS 3.16.3 or newer (Mozilla Firefox 32+).
- Included by default in Microsoft Windows since September 2014 on Windows Vista+ (should automatically update as mentioned here).
- Included by default in Android 5.0+ (no source, but on my Nexus tablet with Android 4.4.4 it is not yet included but on my Nexus phone with Android 5.0 it is)
- It is not yet included in the Apple certificate store. This is not a big issue however, since the WoSign root CA is cross-signed by the StartCom CA which itself is included almost everywhere since >5 years.
- make sure to configure OCSP stapling on your webserver since WoSign only operates OCSP responders in China which results in a bad latency for western visitors where the browser queries the OCSP responder before opening the connection. It might as well result in a privacy issue since WoSign a.k.a “the Chinese” know who visits which website. With OCSP stapling you effectively mitigate both problems.
Discussions on HackerNews or Reddit
From https://www.ohling.org/blog/2015/02/wosign-free-2y-ssl-certificate.html