{"id":1557,"date":"2015-03-01T11:05:48","date_gmt":"2015-03-01T03:05:48","guid":{"rendered":"http:\/\/wx.wosign.com\/?p=1557"},"modified":"2015-03-01T11:06:35","modified_gmt":"2015-03-01T03:06:35","slug":"%e5%be%b7%e5%9b%bd%e7%bd%91%e5%8f%8b%e5%80%be%e5%bf%83%e6%8e%a8%e8%8d%90-wosign-free-2y-multi-domain-ssl-certificate-sanucc","status":"publish","type":"post","link":"https:\/\/wx.wosign.com\/?p=1557","title":{"rendered":"\u5fb7\u56fd\u7f51\u53cb\u503e\u5fc3\u63a8\u8350 WoSign: Free 2y multi-domain SSL certificate (SAN\/UCC)"},"content":{"rendered":"<h1 class=\"post-title\"><a href=\"https:\/\/www.ohling.org\/blog\/2015\/02\/wosign-free-2y-ssl-certificate.html\">WoSign: Free 2y multi-domain SSL certificate (SAN\/UCC)<\/a><\/h1>\n<p><span class=\"post-date\">2015-02-01 <strong>Update 2015-02-12: New SHA2 intermediate cert and application form in English<\/strong><\/span>Chinese CA WoSign issues free multi-domain SSL certificates valid for 2 years.<\/p>\n<h2>Free SSL certificates? &#8211; That&#8217;s old news&#8230;<\/h2>\n<p>Since many years we have the great free <a href=\"https:\/\/www.startssl.com\/?app=39\">StartSSL<\/a> certificates. They are valid for one year and include both the domain and the <strong>www<\/strong> subdomain.<br \/>\nSince October 2014 another free option for enabling HTTPS on your website is <a href=\"https:\/\/blog.cloudflare.com\/introducing-universal-ssl\/\">CloudFlare<\/a>, where you don&#8217;t get the key yourself but use their free CDN to terminate SSL connections.<br \/>\nStarting in mid 2015 we will have <a href=\"https:\/\/www.letsencrypt.org\/\">Let&#8217;s Encrypt<\/a>, a free certificate authority issuing certificates automatically via a script on the webserver.<br \/>\nThere is <a href=\"https:\/\/www.cacert.org\/\">CaCert<\/a> as well, but since they never passed an audit and they are not included in any important certificate store by default they are unfortunately not an option.<\/p>\n<h2>New player: Chinese WoSign<\/h2>\n<p>So now there is another option: The Chinese CA WoSign offers free SSL certificates which are valid for 2 years and may contain up to 100 domains each (multi-domain\/SAN\/UCC) which is very useful to host various domains on one single IP address (Better option than <a href=\"https:\/\/en.wikipedia.org\/wiki\/Server_Name_Indication\">SNI<\/a> if you still have Windows XP clients). Before you stop reading because you don&#8217;t trust a Chinese company for your website encryption please keep in mind that you don&#8217;t have to trust them at all! You generate the SSL key on your server and only send them the CSR (certificate signing request) which doesn&#8217;t contain any private information.<\/p>\n<h2>How to get the certificate<\/h2>\n<p>As of February 10, the order process is finally available in English as well, so no quirky Chinese-to-English translation necessary anymore.<\/p>\n<ul>\n<li>Visit <a href=\"https:\/\/buy.wosign.com\/free\/\">https:\/\/buy.wosign.com\/free\/<\/a><\/li>\n<li>Enter the domain(s) that should be included in the SSL certificate in the first textbox, one per line. If you just enter &#8220;example.com&#8221;, you will get the subdomain &#8220;www.example.com&#8221; automatically.<\/li>\n<li>Leaving the defaults is generally recommended: 2 year period, English language and SHA2 algorithm<\/li>\n<li>Verify the domain(s) via either email to a special email account or via a special file you have to upload to http:\/\/example.com\/example.com.html<\/li>\n<li>Login to your webserver via SSH and generate a new SSL key and a Certificate Signing Request (CSR), for example with this command:<br \/>\n<code>openssl req -out example.com.csr -new -sha256 -newkey rsa:2048 -nodes -keyout example.com.key<\/code><\/li>\n<li>Select &#8220;Option 2: Generate by myself&#8221; to paste the CSR you just generated. You should never use the first Option since that implies that you are not the sole owner of your SSL key<\/li>\n<li>Enter your email address and select a new password if you don&#8217;t have a WoSign account yet.<\/li>\n<li>Enter the captcha code, confirm the terms and conditions and Submit the request<\/li>\n<li>The next page will confirm the request and show an estimated time of delivery. Keep in mind that the certificates are manually reviewed during Beijing-time business hours so it might take a few hours until you get the certificate<\/li>\n<li>Next you will recieve an email with a link to a ZIP file containing your certificate. The correct order of the English certificates is like this:<br \/>\n<code>your-domain.com.crt -&gt; <a href=\"https:\/\/www.wosign.com\/root\/ca1_dv_free_2.crt\">ca1_dv_free_2.crt<\/a> -&gt; <a href=\"https:\/\/www.wosign.com\/root\/ca1_xs_sc_2.crt\">ca1_xs_sc_2.crt<\/a><\/code><\/li>\n<li>Make sure to test your implementation on the awesome <a href=\"https:\/\/www.ssllabs.com\/ssltest\/\">Qualys SSL Labs server test<\/a><\/li>\n<\/ul>\n<h2>Further notes on WoSign:<\/h2>\n<ul>\n<li>In the ordering process you can choose between &#8220;Chinese language certificate&#8221; or &#8220;English language certificate&#8221;. The Chinese one is signed by a certificate with the name <strong>CA \u6c83\u901a\u514d\u8d39SSL\u8bc1\u4e66 G2<\/strong> with the fingerprint 4f9aacdaf4deef282d6c5be28181abca2844664b (see for example <a href=\"https:\/\/romanrm.hk\/\">romanrm.hk<\/a> <a href=\"https:\/\/www.ssllabs.com\/ssltest\/analyze.html?d=romanrm.hk\">(on SSLlabs)<\/a> and the English one by the certificate <strong>WoSign CA Free SSL Certificate G2<\/strong> with the fingerprint f4db6d0281f204d36e2d2fbfa72f7940ed9d1adc (see for example <a href=\"https:\/\/www.checkmyping.com\/\">checkmyping.com<\/a> <a href=\"https:\/\/www.ssllabs.com\/ssltest\/analyze.html?d=checkmyping.com\">(on SSLlabs)<\/a>.<\/li>\n<li>Current inclusion status in major CA certificate stores:\n<ul>\n<li>Included by default in <a href=\"https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1017295\">NSS 3.16.3 or newer<\/a> (Mozilla Firefox 32+).<\/li>\n<li>Included by default in Microsoft Windows <a href=\"http:\/\/download.microsoft.com\/download\/1\/5\/7\/157B29AB-F890-464A-995A-C87945B28E5A\/Windows%20Root%20Certificate%20Program%20Members%20-%20Sept%202014.pdf\">since September 2014<\/a> on Windows Vista+ (should automatically update as mentioned <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/cc751157.aspx#EJAA\">here<\/a>).<\/li>\n<li>Included by default in Android 5.0+ (no source, but on my Nexus tablet with Android 4.4.4 it is not yet included but on my Nexus phone with Android 5.0 it is)<\/li>\n<li>It is <strong>not yet included in the Apple certificate store<\/strong>. This is not a big issue however, since the WoSign root CA is <a href=\"https:\/\/www.startssl.com\/startcom-wosign-root-key-generation-ceremony.pdf\">cross-signed by the StartCom CA<\/a> which itself is included <a href=\"https:\/\/forum.startcom.org\/viewtopic.php?f=15&amp;t=1802\">almost everywhere since &gt;5 years<\/a>.<\/li>\n<\/ul>\n<\/li>\n<li><strong>make sure to configure OCSP stapling<\/strong> on your webserver since WoSign only operates OCSP responders in China which results in a bad latency for western visitors where the browser queries the OCSP responder before opening the connection. It might as well result in a privacy issue since WoSign a.k.a &#8220;the Chinese&#8221; know who visits which website. With OCSP stapling you effectively mitigate both problems.<\/li>\n<\/ul>\n<p>Discussions on <a href=\"https:\/\/news.ycombinator.com\/item?id=8982013\">HackerNews<\/a> or <a href=\"https:\/\/www.reddit.com\/r\/netsec\/comments\/2ugdbt\/free_2year_multidomain_ssl_certificate_sanucc_by\/\">Reddit<\/a><\/p>\n<p>&nbsp;<\/p>\n<p>From\u00a0<a href=\"https:\/\/www.ohling.org\/blog\/2015\/02\/wosign-free-2y-ssl-certificate.html\">https:\/\/www.ohling.org\/blog\/2015\/02\/wosign-free-2y-ssl-certificate.html<\/a><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>WoSign: Free 2y multi-domain SSL certificate (SAN\/UCC)  &#8230; <a title=\"\u5fb7\u56fd\u7f51\u53cb\u503e\u5fc3\u63a8\u8350 WoSign: Free 2y multi-domain SSL certificate (SAN\/UCC)\" class=\"read-more\" href=\"https:\/\/wx.wosign.com\/?p=1557\" aria-label=\"More on \u5fb7\u56fd\u7f51\u53cb\u503e\u5fc3\u63a8\u8350 WoSign: Free 2y multi-domain SSL certificate (SAN\/UCC)\">Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[],"tags":[],"_links":{"self":[{"href":"https:\/\/wx.wosign.com\/index.php?rest_route=\/wp\/v2\/posts\/1557"}],"collection":[{"href":"https:\/\/wx.wosign.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wx.wosign.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wx.wosign.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/wx.wosign.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1557"}],"version-history":[{"count":2,"href":"https:\/\/wx.wosign.com\/index.php?rest_route=\/wp\/v2\/posts\/1557\/revisions"}],"predecessor-version":[{"id":1559,"href":"https:\/\/wx.wosign.com\/index.php?rest_route=\/wp\/v2\/posts\/1557\/revisions\/1559"}],"wp:attachment":[{"href":"https:\/\/wx.wosign.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1557"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wx.wosign.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1557"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wx.wosign.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1557"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}