Free Chinese 2 year SSL certificate: DV KuaiSSL by WoSign.com
Hi,
this is already discussed in the thread "Who are the best free SSL providers?" but since the topic is misleading (many won't read it) and this is huge news in my opinion I'd like to point it out in this separate thread: The Chinese CA WoSign provides free domain validated SSL certificates. Unlike StartSSL these are valid for 2 years and it is possible to include up to 100 domains in one certificate (SAN). Some information in English is available here: https://www.wosign.com/english/DV_KuaiSSL.htm
As of today the order process is only available in Chinese. But using Google Chrome and the translate feature it should be quite easy:
- first register your account at https://login.wosign.com/reg.html. Confirm your email address with the link in the email they send to you. Download the SSL client certificate (just like during the StartSSL registration) and import it into your browser.
- visit https://buy.wosign.com/DVSSL.html and add the SSL certificate in your shopping cart. Click a few times on "next".
- on the order list at https://buy.wosign.com/memberuser/OrderList.html click the play button and enter the domain name(s) you want the SSL cert for. Verify the domain(s) either via email or by putting a HTML file they provide on your server.
- In the next step create a CSR on your server and paste the contents in the form on the website.
- Next you will recieve an email with a link to a ZIP file containing your certificate. The correct order of the certificates is like this:
your-domain.com.crt -> ca1_dv_free_2.crt -> ca1_xs_sc_new.crt
If you need more help check out my step-by-step tutorial with translated screenshots: https://www.checkmyping.com/
It is one of my spare domains and I'd like to use it as a "showcase" for the WoSign certs. To see an example of such a free SSL certificate visit that website or check it with SSLlabs.com: https://www.ssllabs.com/ssltest/analyze.html?d=checkmyping.com
Comments
You can display the crt on their website before you receive the email.
But unlike with StartSSL you don't need to bother with this b/s whatsoever, and just use login/password for authentication to your account.
Yep, just use the regular account login, not the BS cert login.
Combating spammers/trolls/crawlers/fraudsters? Try free Proxy / VPN / Bad IP Detection || You can find my other useful scripts on GitHub or contact me on Twitter
One more note (this is not fully confirmed yet), you need to pick "Certificate Language: Chinese", else you will get a yellow warning icon on the address bar lock in Chrome 39, due to their English certificate chain ("Root 1" from http://www.wosign.com/English/root.htm) having been only signed with SHA1 certs.
See https://romanrm.hk/ for an example of installed English language cert.upd: Switched to a Chinese one..ovh and .tf domains are rejected.
Actually, if you edit the certificate file you get the green icon. The only problem with the English certificate is that since one of the intermediate certificates turned out to be SHA1, you can't get an A+ on SSL checks.
Other than that, it works fine!
Here is what I used with my nginx to make it work just fine:
You MUST ADD your domains crt file on top of this configuration and create a bundle that way.
I never turn down help on improving my Nginx Configuration Template ;)
NameSilo.com coupons: CheapDoms or Discounted
I'm not surprised about .ovh (they probably haven't bothered to keep up with all the new TLDs), but it's weird that they don't support .tf.
Also,
today I sent an email to them asking whether or not they'll update that certificate to SHA2, I just received an answer to that:
I never turn down help on improving my Nginx Configuration Template ;)
NameSilo.com coupons: CheapDoms or Discounted
Does not work in Iceweasel (based on Firefox 24.8):
What seems to be working with a higher degree of success for me, is to use a Chinese language cert (just got mine)
and combine a bundle like this...see below for an update.The result is: https://aux.romanrm.hk/. Chrome 39 is happy (green icon), Iceweasel is happy, even Internet Explorer doesn't complain
, but for some reason still getting the "Untrusted connection" error in Pale Moon 25 (Firefox-based) on Windows.update below.Got another email from WoSign:
@rm_ Check this: http://browsershots.org/https://aux.romanrm.hk/ Yours seem quite OK actually...
Mine on the other hand even with your setup is the same. I think it might be related to the ssl ciphers and all. Maybe my problem is due to my nginx config :D
I never turn down help on improving my Nginx Configuration Template ;)
NameSilo.com coupons: CheapDoms or Discounted
Chrome 42 isn't (no green icon.)
EDIT: But it is for https://wks.golgeli.net
EDIT2: Hard refresh and it's now showing green padlock, although Chrome does say that the connection is AES_256_CBC with SHA1 or message authentication and ECDHE_RSA for key exchange.
What am I doing wrong? After the last step of confirmation I keep on getting following:
提交请求中,包含非法数据
Any clues?
Can you see the hidden white space?
A word of warning: don't put too much trust on Chinese CAs.
@Nomad Finally it works for me in all browsers I tried (Pale Moon too). The winning combination is:
Your browser already "puts trust" in WoSign; or did you actually edit its certificate settings to not accept their root certs?
As for the general practice, of course generate your own CSR and not let them have your private key. But even if they had it, the possibility of the Chinese of all people, doing something nefarious (and making any practical sense) with my SSL certs, is rather remote. In fact I would trust them more than NSA or Google, but again, there is no reason to "trust", you just use your own CSR and that's it.
Now switched my main site to it, try https://romanrm.net/removed for now."SHA1 for message authentication" is actually okay with Chrome, it's SHA1 for certificates that they want to eliminate.
@rm_ Don't you use any ssl ciphers? I do and I think that's why mine is not supported on all browsers. Even when I use the same certificates due to our config some stuff are different...
I never turn down help on improving my Nginx Configuration Template ;)
NameSilo.com coupons: CheapDoms or Discounted
The problem with yours seems to be certificate related: "wks.golgeli.net uses an invalid security certificate. The certificate is not trusted because the issuer certificate is not trusted. (Error code: sec_error_untrusted_issuer)".
My cipher list in Lighttpd is "ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-SHA", if that helps.
Tried both sites on a different computer (also with the latest Chrome Canary), and neither shows the padlock. The "obsolete cryptography" error is the only obvious one.
Everything is good, just the SHA1 Signature.
AlphaSSL Revocation Issue is being investigated.
So it's just address bar without a padlock? Can you screen-shot how it looks?
The initial problem was that Chrome was showing a padlock but with a yellow triangle ("warning") on top of it. Which is IMO much worse than none at all.
Anyone using IIS and get green on Chrome?
I got both Chinese and English cert, but both show yellow triangle on Chrome 39.
Yeah, no padlock.
I found out that it's behavior of Chrome on Android, even https://romanrm.net/ has yellow warning lock.
@Detruire can you test https://comxyz.com/gapps/faq/ ?
Green lock icon on Chrome 39 for Windows.
That shows with a green padlock. EDIT: 42.0.2280.2 canary.
Maybe some browsers are not yet aware of that Certificate Authority :-)
DigitalFyre
All yellow on Chrome (Android) :/
"LET: where you can go from hero to zero in the space of a single thread." - Nekki
Edit, Android chrome suddenly hates it with ERR_CERT_AUTHORITY_INVALID
I give up for now.
This is normal if you want it to open both in Chrome 39 with the green icon, and in old browsers such as Firefox 25 (at all).
Cross-signed cert ("WoSign CA" cert issued by StartCom) is SHA1. The trick with Chrome is that it doesn't need/use it. But for other browsers it's very much needed and must be present (hence your multiple trusted paths).
From what I can tell it is impossible to get an A+ on SSL Labs with their certs. The best we can strive for, is just a site loading properly in all browsers, and no yellow warning in Chrome Desktop.
@Reetus Can you post your actual URL, I tried https://rss.slackprojects.org/, but it's currently giving a wrong cert for the "jaws" hostname.
P.S.: installed another copy of Chrome 39 on a different computer, and it's giving yellow warnings both on all my sites, and on @comXyz https://comxyz.com/. D'oh!! Looks like Chrome uses certificates from the OS, and on that PC the OS is Windows 7 without service packs. Maybe it's a bit too old.
I think I will return to StartSSL certs for my main sites for now, and hope the WoSign CA in the coming 10 months to their expiration gets around to making proper SHA2 certs :)
So it's giving the warnings because it's using the Startcom cert as the top of the chain, and the WoSign CA cert is using SHA1?
Because it ends up using:
StartCom -> StartCom/WoSign cross (SHA1) -> WoSign G2 (SHA2) -> You
Chrome 39.0.2171.99 m, Windows 7 plain
For no warnings, it must use directly:
WoSign (SHA2) -> WoSign G2 (SHA2) -> You
Chrome 39.0.2171.95 m, Windows 7 SP1
@rm_ how to use WoSign (SHA2) -> WoSign G2 (SHA2) directly?
@comXyz my server ships both chains, i.e. between these two screenshots there was no configuration change on the server. The current theory I have is that Chrome uses the trusted certificate store from the operating system it's running on. And that the Windows 7 without SP1 does not include the "WoSign (SHA2)" cert as trusted, so on that OS Chrome has to use the StartCom path.
God dammit! Is it possible to re-issue in SHA2? chrome doesn't show the green stuff with SHA1.
vpsdash.com - Tips and tricks in life, information and technology news to get things done
Buy it again and choose SHA2
I can't able to generate certificate, always showing error "Please retry"....
mine Issued by common name WoSign CA Free SSL Certificate G2 rm_ Issued by common name CA 沃通免费SSL证书 G2
which root ca do you use?
I've try root below still showing WoSign CA Free SSL Certificate G2
Let's bet which dot-name will collapse first ;)
If yours is issued by
then you have selected an "English language" certificate. My instruction was for Chinese ones.
Looks like wosign has terrible browser support, even their own website returns a SSL error. I'll stick with rapidssl.
Question on certificates - Is it possible to have multiple certificates on the same domains from the same provider or different providers which will still be valid, ie recognized in the browsers?
Prometeus - Rock Solid KVM | Xen | OpenVZ Digital Ocean
Do you mean for different domains? Or for the same domain? Which I don't think will be possible.
I never turn down help on improving my Nginx Configuration Template ;)
NameSilo.com coupons: CheapDoms or Discounted
Have no idea why you are either you are getting paid by the Chinese or making money out of Chinese people and yet kept putting comments like this about the Chinese government.
Do you think NSA/US-based CAs are really more trustworthy than the Chinese ones? NSA is known to use one the SSL exploits to peek into encrypted data for years
http://BornIn.Asia - FREE shared hosting and subdomain service for LET members! Click here to see how to get one yourself! 96Forum: Low End VPS Discussions. Selling domains with GApp with various user counts (10 year reg incl. for some)
>
Question on certificates - Is it possible to have multiple certificates on the same domains from the same provider or different providers which will still be valid, ie recognized in the browsers?
You can run the same domain on 2 IPs/Servers and use different certs, the enduser will then decide by Round Robin which server he connects to. Makes not much sense.
With SNI you can run 2 different certs on the same IP (not sure with the same contained names but i see nothing against that in the specs), decision which cert will be used is random or first hit then. Makes not much sense either to do that.
AS203661 - IP6.IM - MTR.SH - WILLIAM.CO.IL
What I mean to ask is whether certificates are recognized as valid so long as they are not expired or revoked. ie whether a browser or some other software will regard different certificates for the same domain as valid even their lifetimes overlap, ie there is no such thing as a single authoritative certificate for a domain at any time, so that if people from different countries connect to different servers with different certificates, although they use the same domain, they will still be valid.
Prometeus - Rock Solid KVM | Xen | OpenVZ Digital Ocean
you can have as many certificates for a domain at the same time as you like. so if you intend getting another cert while an old one hasn't run out yet, that should be fine ;-)
Netcup DE KVM specials: 1vC 1GB 18,88€ or 4vC 4GB 42,88€ yearly with 5€ off 1st order: 36nc14981289910 / 36nc14926228208 UltraVPS.eu KVM in US/NL/DE, 15% off 6months: 1GB & HDD from 2,55€ or 2GB & SSD from 3,83€
Wow, there seem to be quite some confusion about getting the intermediate certificates right and the availability of SHA256. This is what I found out, please correct me if I am wrong:
For the English certificate use this:
your-domain.com.crt -> ca1_dv_free_2.crt -> ca1_xs_sc_new.crt
For the Chinese certificate use this:
your-domain.com.crt -> ca2_dv_free_2.crt -> ca2_xs_sc_new.crt
It looks like StartCom only cross-signed a SHA1 certificate for both the English AND the Chinese one. They did this in 2011 when nobody thought about SHA256 so now it is difficult to get those signed with SHA256. It means that it is not possible to get a complete SHA256 chain with the Chinese certificate neither (on old browsers).
On this clients the short, direct WoSign trust chain with only SHA256 certificates will be used (resulting in a nice green padlock):
NOT using the short direct SHA256 WoSign chain but the larger one with the cross-signed SHA1 StartCom certificate:
Hope this clarifies most issues.
If you want to do your own hunt for intermediate certificates you can use this websites where WoSign offers its root and intermediate certs:
https://wosign.com/root/
https://www.wosign.com/English/root.htm
http://www.wosign.com/new/english/root.htm
https://support.wosign.com/en/index.php?/News/NewsItem/View/2/wosign-root-certificates
Yeah but old browsers also won't care about it being SHA1 and will not show any warnings due to that.
The main battle ground is getting SHA256 chain to work in new browsers. :)
Right, old browsers will continue to be happy with SHA1. On most current browsers the SHA256 chain already works great!
Only Safari/Chrome users on Apple or IE/Chrome users on Windows who EXPLICITLY block their certificate updates still need the cross-signed SHA1 StartCom certificate. I am quite confident that Apple will include the WoSign root certificate in the future - before Chrome is showing nasty error messages.
Just noticed they issue cert manually, from working hours 9-5 china time.
vpsdash.com - Tips and tricks in life, information and technology news to get things done