Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with OpenID
Advertise on LowEndTalk.com

In this Discussion

Free Chinese 2 year SSL certificate: DV KuaiSSL by WoSign.com

Free Chinese 2 year SSL certificate: DV KuaiSSL by WoSign.com

ciderocidero Member
edited January 2015 in General

Hi,

this is already discussed in the thread "Who are the best free SSL providers?" but since the topic is misleading (many won't read it) and this is huge news in my opinion I'd like to point it out in this separate thread: The Chinese CA WoSign provides free domain validated SSL certificates. Unlike StartSSL these are valid for 2 years and it is possible to include up to 100 domains in one certificate (SAN). Some information in English is available here: https://www.wosign.com/english/DV_KuaiSSL.htm

As of today the order process is only available in Chinese. But using Google Chrome and the translate feature it should be quite easy:

  • first register your account at https://login.wosign.com/reg.html. Confirm your email address with the link in the email they send to you. Download the SSL client certificate (just like during the StartSSL registration) and import it into your browser.
  • visit https://buy.wosign.com/DVSSL.html and add the SSL certificate in your shopping cart. Click a few times on "next".
  • on the order list at https://buy.wosign.com/memberuser/OrderList.html click the play button and enter the domain name(s) you want the SSL cert for. Verify the domain(s) either via email or by putting a HTML file they provide on your server.
  • In the next step create a CSR on your server and paste the contents in the form on the website.
  • Next you will recieve an email with a link to a ZIP file containing your certificate. The correct order of the certificates is like this:

your-domain.com.crt -> ca1_dv_free_2.crt -> ca1_xs_sc_new.crt

If you need more help check out my step-by-step tutorial with translated screenshots: https://www.checkmyping.com/

It is one of my spare domains and I'd like to use it as a "showcase" for the WoSign certs. To see an example of such a free SSL certificate visit that website or check it with SSLlabs.com: https://www.ssllabs.com/ssltest/analyze.html?d=checkmyping.com

Tagged:
«1345

Comments

  • You can display the crt on their website before you receive the email.

  • rm_rm_ Member

    said: Download the SSL client certificate (just like during the StartSSL registration) and import it into your browser.

    But unlike with StartSSL you don't need to bother with this b/s whatsoever, and just use login/password for authentication to your account.

  • rm_ said: But unlike with StartSSL you don't need to bother with this b/s whatsoever, and just use login/password for authentication to your account.

    Yep, just use the regular account login, not the BS cert login.

    Combating spammers/trolls/crawlers/fraudsters? Try free Proxy / VPN / Bad IP Detection || You can find my other useful scripts on GitHub or contact me on Twitter

  • rm_rm_ Member
    edited January 2015

    One more note (this is not fully confirmed yet), you need to pick "Certificate Language: Chinese", else you will get a yellow warning icon on the address bar lock in Chrome 39, due to their English certificate chain ("Root 1" from http://www.wosign.com/English/root.htm) having been only signed with SHA1 certs.

    See https://romanrm.hk/ for an example of installed English language cert. upd: Switched to a Chinese one.

    Thanked by 1Ndha
  • .ovh and .tf domains are rejected.

  • NomadNomad Member
    edited January 2015

    @rm_ said: One more note (this is not fully confirmed yet), you need to pick "Certificate Language: Chinese", else you will get a yellow warning icon on the address bar lock in Chrome 39, due to their English certificate chain ("Root 1" from http://www.wosign.com/English/root.htm) having been only signed with SHA1 certs.

    See https://romanrm.hk/ for an example of installed English language cert.

    Actually, if you edit the certificate file you get the green icon. The only problem with the English certificate is that since one of the intermediate certificates turned out to be SHA1, you can't get an A+ on SSL checks.

    Other than that, it works fine!

    Check my site: https://wks.golgeli.net/

    Here is what I used with my nginx to make it work just fine:

    http://pastebin.com/bSyb2Xi1

    You MUST ADD your domains crt file on top of this configuration and create a bundle that way.

    I never turn down help on improving my Nginx Configuration Template ;)
    NameSilo.com coupons: CheapDoms or Discounted

  • Keith said: .ovh and .tf domains are rejected.

    I'm not surprised about .ovh (they probably haven't bothered to keep up with all the new TLDs), but it's weird that they don't support .tf.

  • NomadNomad Member
    edited January 2015

    Also,

    today I sent an email to them asking whether or not they'll update that certificate to SHA2, I just received an answer to that:

    Dear ,

     Our crossroot will  update to sha2.
    
     Replacement time has not been determined.
    

    I never turn down help on improving my Nginx Configuration Template ;)
    NameSilo.com coupons: CheapDoms or Discounted

  • rm_rm_ Member
    edited January 2015

    Nomad said: Check my site: https://wks.golgeli.net/

    Does not work in Iceweasel (based on Firefox 24.8):

    What seems to be working with a higher degree of success for me, is to use a Chinese language cert (just got mine) and combine a bundle like this... see below for an update.

    The result is: https://aux.romanrm.hk/. Chrome 39 is happy (green icon), Iceweasel is happy, even Internet Explorer doesn't complain, but for some reason still getting the "Untrusted connection" error in Pale Moon 25 (Firefox-based) on Windows. update below.

  • Got another email from WoSign:

    Thanks for your attention.
    we are so glad that you choose our SSl ,but for the moment, our root certificate can not inssue SSl certification in SHA2,we are now trying to solve it,maybe in the recently months we can manage to do that. anyway we are still hoping we can cooperate more and comminucate immediately.
    
    
    Best Regards,
    

    @rm_ Check this: http://browsershots.org/https://aux.romanrm.hk/ Yours seem quite OK actually...

    Mine on the other hand even with your setup is the same. I think it might be related to the ssl ciphers and all. Maybe my problem is due to my nginx config :D

    I never turn down help on improving my Nginx Configuration Template ;)
    NameSilo.com coupons: CheapDoms or Discounted

  • DetruireDetruire Member
    edited January 2015

    rm_ said: The result is: https://aux.romanrm.hk/. Chrome 39 is happy (green icon), Iceweasel is happy, even Internet Explorer doesn't complain, but for some reason still getting the "Untrusted connection" error in Pale Moon 25 (Firefox-based) on Windows.

    Chrome 42 isn't (no green icon.)

    EDIT: But it is for https://wks.golgeli.net

    EDIT2: Hard refresh and it's now showing green padlock, although Chrome does say that the connection is AES_256_CBC with SHA1 or message authentication and ECDHE_RSA for key exchange.

  • What am I doing wrong? After the last step of confirmation I keep on getting following:

    提交请求中,包含非法数据

    Any clues?

    Can you see the hidden white space?

  • zxbzxb Member

    A word of warning: don't put too much trust on Chinese CAs.

    Thanked by 1NeoGen
  • rm_rm_ Member
    edited January 2015

    @Nomad Finally it works for me in all browsers I tried (Pale Moon too). The winning combination is:

    curl -s http://www.wosign.com/root/startcom.crt \
    http://www.wosign.com/root/ca2_xs_sc_new.crt \
    http://www.wosign.com/root/WS_CA2_NEW.CRT \
    http://www.wosign.com/root/ca2_dv_free_2.crt > wosign_ca2.pem

    zxb said: A word of warning: don't put too much trust on Chinese CAs.

    Your browser already "puts trust" in WoSign; or did you actually edit its certificate settings to not accept their root certs?

    As for the general practice, of course generate your own CSR and not let them have your private key. But even if they had it, the possibility of the Chinese of all people, doing something nefarious (and making any practical sense) with my SSL certs, is rather remote. In fact I would trust them more than NSA or Google, but again, there is no reason to "trust", you just use your own CSR and that's it.

  • rm_rm_ Member
    edited January 2015

    Detruire said: Chrome 42 isn't (no green icon.)

    EDIT2: Hard refresh and it's now showing green padlock, although Chrome does say that the connection is AES_256_CBC with SHA1 or message authentication and ECDHE_RSA for key exchange.

    Now switched my main site to it, try https://romanrm.net/ removed for now.

    "SHA1 for message authentication" is actually okay with Chrome, it's SHA1 for certificates that they want to eliminate.

  • @rm_ Don't you use any ssl ciphers? I do and I think that's why mine is not supported on all browsers. Even when I use the same certificates due to our config some stuff are different...

    I never turn down help on improving my Nginx Configuration Template ;)
    NameSilo.com coupons: CheapDoms or Discounted

  • rm_rm_ Member

    Nomad said: Don't you use any ssl ciphers? I do and I think that's why mine is not supported on all browsers. Even when I use the same certificates due to our config some stuff are different...

    The problem with yours seems to be certificate related: "wks.golgeli.net uses an invalid security certificate. The certificate is not trusted because the issuer certificate is not trusted. (Error code: sec_error_untrusted_issuer)".

    My cipher list in Lighttpd is "ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-SHA", if that helps.

  • DetruireDetruire Member
    edited January 2015

    rm_ said: Now switched my main site to it, try https://romanrm.net/

    "SHA1 for message authentication" is actually okay with Chrome, it's SHA1 for certificates that they want to eliminate.

    Tried both sites on a different computer (also with the latest Chrome Canary), and neither shows the padlock. The "obsolete cryptography" error is the only obvious one.

  • Mahfuz_SS_EHLMahfuz_SS_EHL Member, Provider

    Everything is good, just the SHA1 Signature.

    AlphaSSL Revocation Issue is being investigated.

  • rm_rm_ Member

    Detruire said: neither shows the padlock

    So it's just address bar without a padlock? Can you screen-shot how it looks?
    The initial problem was that Chrome was showing a padlock but with a yellow triangle ("warning") on top of it. Which is IMO much worse than none at all.

  • Anyone using IIS and get green on Chrome?

    I got both Chinese and English cert, but both show yellow triangle on Chrome 39.

  • rm_ said: So it's just address bar without a padlock? Can you screen-shot how it looks? The initial problem was that Chrome was showing a padlock but with a yellow triangle ("warning") on top of it. Which is IMO much worse than none at all.

    Yeah, no padlock.

    Thanked by 1rm_
  • I found out that it's behavior of Chrome on Android, even https://romanrm.net/ has yellow warning lock.

  • rm_rm_ Member
    edited January 2015

    comXyz said: https://comxyz.com/gapps/faq/ ?

    Green lock icon on Chrome 39 for Windows.

    Thanked by 1comXyz
  • DetruireDetruire Member
    edited January 2015

    comXyz said: @Detruire can you test https://comxyz.com/gapps/faq/ ?

    That shows with a green padlock. EDIT: 42.0.2280.2 canary.

    Thanked by 1comXyz
  • Maybe some browsers are not yet aware of that Certificate Authority :-)

  • All yellow on Chrome (Android) :/

    "LET: where you can go from hero to zero in the space of a single thread." - Nekki

  • ReetusReetus Member
    edited January 2015

    Edit, Android chrome suddenly hates it with ERR_CERT_AUTHORITY_INVALID

    I give up for now.

  • rm_rm_ Member
    edited January 2015

    Reetus said: initially it wasn't but SSLLabs showed multiple trusted paths

    This is normal if you want it to open both in Chrome 39 with the green icon, and in old browsers such as Firefox 25 (at all).

    so I recombined with the right combo (it didn't have the StartSSL Root), but root is SHA1, intermediate isn't.

    Cross-signed cert ("WoSign CA" cert issued by StartCom) is SHA1. The trick with Chrome is that it doesn't need/use it. But for other browsers it's very much needed and must be present (hence your multiple trusted paths).

    From what I can tell it is impossible to get an A+ on SSL Labs with their certs. The best we can strive for, is just a site loading properly in all browsers, and no yellow warning in Chrome Desktop.

    @Reetus Can you post your actual URL, I tried https://rss.slackprojects.org/, but it's currently giving a wrong cert for the "jaws" hostname.

    P.S.: installed another copy of Chrome 39 on a different computer, and it's giving yellow warnings both on all my sites, and on @comXyz https://comxyz.com/. D'oh!! Looks like Chrome uses certificates from the OS, and on that PC the OS is Windows 7 without service packs. Maybe it's a bit too old.

    I think I will return to StartSSL certs for my main sites for now, and hope the WoSign CA in the coming 10 months to their expiration gets around to making proper SHA2 certs :)

  • DetruireDetruire Member
    edited January 2015

    rm_ said: P.S.: installed another copy of Chrome 39 on a different computer, and it's giving yellow warnings both on all my sites, and on @comXyz https://comxyz.com/. D'oh!!
    Looks like Chrome uses certificates from the OS, and on that PC (VM actually) the OS is Windows 7 without service packs. Maybe it's a bit too old. I think I will return to StartSSL certs for my main sites for now, and hope the WoSign CA in the coming 10 months to their expiration gets around to making proper SHA2 certs :)

    So it's giving the warnings because it's using the Startcom cert as the top of the chain, and the WoSign CA cert is using SHA1?

  • rm_rm_ Member
    edited January 2015

    Detruire said: So it's giving the warnings because it's using the Startcom cert as the top of the chain, and the WoSign CA cert is using SHA1?

    Because it ends up using:

    StartCom -> StartCom/WoSign cross (SHA1) -> WoSign G2 (SHA2) -> You

    Chrome 39.0.2171.99 m, Windows 7 plain

    For no warnings, it must use directly:

    WoSign (SHA2) -> WoSign G2 (SHA2) -> You

    Chrome 39.0.2171.95 m, Windows 7 SP1

  • @rm_ how to use WoSign (SHA2) -> WoSign G2 (SHA2) directly?

  • rm_rm_ Member
    edited January 2015

    @comXyz my server ships both chains, i.e. between these two screenshots there was no configuration change on the server. The current theory I have is that Chrome uses the trusted certificate store from the operating system it's running on. And that the Windows 7 without SP1 does not include the "WoSign (SHA2)" cert as trusted, so on that OS Chrome has to use the StartCom path.

    Thanked by 1comXyz
  • God dammit! Is it possible to re-issue in SHA2? chrome doesn't show the green stuff with SHA1.

    vpsdash.com - Tips and tricks in life, information and technology news to get things done

  • @cosmicgate said: God dammit! Is it possible to re-issue in SHA2? chrome doesn't show the green stuff with SHA1.

    Buy it again and choose SHA2

  • aceanceaceance Member without signature

    I can't able to generate certificate, always showing error "Please retry"....

  • mine Issued by common name WoSign CA Free SSL Certificate G2 rm_ Issued by common name CA 沃通免费SSL证书 G2

    which root ca do you use?

    I've try root below still showing WoSign CA Free SSL Certificate G2

    rm_ said: curl -s http://www.wosign.com/root/startcom.crt \ http://www.wosign.com/root/ca2_xs_sc_new.crt \ http://www.wosign.com/root/WS_CA2_NEW.CRT \ http://www.wosign.com/root/ca2_dv_free_2.crt > wosign_ca2.pem

    Let's bet which dot-name will collapse first ;)

  • rm_rm_ Member
    edited January 2015

    If yours is issued by

    tommy said: WoSign CA Free SSL Certificate G2

    then you have selected an "English language" certificate. My instruction was for Chinese ones.

    Thanked by 1tommy
  • Looks like wosign has terrible browser support, even their own website returns a SSL error. I'll stick with rapidssl.

  • Question on certificates - Is it possible to have multiple certificates on the same domains from the same provider or different providers which will still be valid, ie recognized in the browsers?

  • Do you mean for different domains? Or for the same domain? Which I don't think will be possible.

    I never turn down help on improving my Nginx Configuration Template ;)
    NameSilo.com coupons: CheapDoms or Discounted

  • @zxb said: A word of warning: don't put too much trust on Chinese CAs.

    Have no idea why you are either you are getting paid by the Chinese or making money out of Chinese people and yet kept putting comments like this about the Chinese government.

    Do you think NSA/US-based CAs are really more trustworthy than the Chinese ones? NSA is known to use one the SSL exploits to peek into encrypted data for years

    http://BornIn.Asia - FREE shared hosting and subdomain service for LET members! Click here to see how to get one yourself! 96Forum: Low End VPS Discussions. Selling domains with GApp with various user counts (10 year reg incl. for some)

  • WilliamWilliam Member, Provider

    >

    Question on certificates - Is it possible to have multiple certificates on the same domains from the same provider or different providers which will still be valid, ie recognized in the browsers?

    You can run the same domain on 2 IPs/Servers and use different certs, the enduser will then decide by Round Robin which server he connects to. Makes not much sense.

    With SNI you can run 2 different certs on the same IP (not sure with the same contained names but i see nothing against that in the specs), decision which cert will be used is random or first hit then. Makes not much sense either to do that.

    Thanked by 1rchurch
  • @William said: With SNI you can run 2 different certs on the same IP (not sure with the same contained names but i see nothing against that in the specs), decision which cert will be used is random or first hit then. Makes not much sense either to do that.

    What I mean to ask is whether certificates are recognized as valid so long as they are not expired or revoked. ie whether a browser or some other software will regard different certificates for the same domain as valid even their lifetimes overlap, ie there is no such thing as a single authoritative certificate for a domain at any time, so that if people from different countries connect to different servers with different certificates, although they use the same domain, they will still be valid.

  • you can have as many certificates for a domain at the same time as you like. so if you intend getting another cert while an old one hasn't run out yet, that should be fine ;-)

    Netcup DE KVM: 1vC 1GB - 18,88€ or 2 ded. Core 6GB 320GB - 78,88€ yearly /w 5€ off: 36nc15154947670 - 36nc15154947679
    UltraVPS.eu KVM in US/NL/DE: 15% off first 6 month and cheap 750G / 2TB storage offers

  • Wow, there seem to be quite some confusion about getting the intermediate certificates right and the availability of SHA256. This is what I found out, please correct me if I am wrong:

    For the English certificate use this:

    your-domain.com.crt -> ca1_dv_free_2.crt -> ca1_xs_sc_new.crt

    For the Chinese certificate use this:

    your-domain.com.crt -> ca2_dv_free_2.crt -> ca2_xs_sc_new.crt

    • The order is important, first certificate in the file is the one for your domain, then the intermediate and last the cross-signed certificate by StartCom. It is bad to include any other certificates since they will NEVER be used and they just make the TLS handshake to your website slower! Please use SSLabs.com to check for the correct certificate chain.
    • It looks like StartCom only cross-signed a SHA1 certificate for both the English AND the Chinese one. They did this in 2011 when nobody thought about SHA256 so now it is difficult to get those signed with SHA256. It means that it is not possible to get a complete SHA256 chain with the Chinese certificate neither (on old browsers).

    • On this clients the short, direct WoSign trust chain with only SHA256 certificates will be used (resulting in a nice green padlock):

      • Mozilla Firefox 32 or newer on any OS (it uses its own NSS library)
      • Google Chrome on Linux when NSS was updated after July 2014 (3.16.3 or newer)
      • Internet Explorer, Google Chrome and Safari on Microsoft Windows Vista or newer which do not explicitly block the "Update Root Certificate feature" described here. They do not need to have automatic updates enabled, this is a separate update mechanism which is enabled by default!
      • Android 5.0 or newer (this is the ticket, on my Android 5.0 it is already included by default)
    • NOT using the short direct SHA256 WoSign chain but the larger one with the cross-signed SHA1 StartCom certificate:

      • Google Chrome and Safari on all Apple devices (MacOS and iOS) since Apple doesn't yet trust the WoSign root certificates.
      • All other clients listed on this StartCom list will still work but only with the SHA1 chain.

    Hope this clarifies most issues.

    If you want to do your own hunt for intermediate certificates you can use this websites where WoSign offers its root and intermediate certs:

    https://wosign.com/root/

    https://www.wosign.com/English/root.htm

    http://www.wosign.com/new/english/root.htm

    https://support.wosign.com/en/index.php?/News/NewsItem/View/2/wosign-root-certificates

    Thanked by 2rm_ NanoG6
  • rm_rm_ Member
    edited January 2015

    cidero said: It means that it is not possible to get a complete SHA256 chain with the Chinese certificate neither (on old browsers).

    Yeah but old browsers also won't care about it being SHA1 and will not show any warnings due to that.
    The main battle ground is getting SHA256 chain to work in new browsers. :)

  • Right, old browsers will continue to be happy with SHA1. On most current browsers the SHA256 chain already works great!

    Only Safari/Chrome users on Apple or IE/Chrome users on Windows who EXPLICITLY block their certificate updates still need the cross-signed SHA1 StartCom certificate. I am quite confident that Apple will include the WoSign root certificate in the future - before Chrome is showing nasty error messages.

  • Just noticed they issue cert manually, from working hours 9-5 china time.

    vpsdash.com - Tips and tricks in life, information and technology news to get things done

Sign In or Register to comment.