2016-05-10 - Installing a StartSSL identity certificate in Google Chrome

StartSSL provides free SSL/TLS certificates for web servers, and it also installs a Class 1 Client certificate into your browser to authenticate yourself to its own site.

This article is all about how to install the Class 1 Client certificate into Google Chrome, especially when Chrome does not accept the certificate automatically, as happened to me when an old certificate expired.

I'll be signing up under the dummy address website@nick-andrew.net to demonstrate the process.

Step 1, Sign Up

StartSSL signup box

At this point, Chrome is supposed to import your client certificate and you can be on your way. Certainly at this point if I was using Firefox, then Firefox has installed the certificate, and a box appears with a "Login Now" button. But it doesn't happen for me, on Chrome version 50.

So I'm going to set it up the hard way.

Step 2, Generate a private key

At a shell prompt, do this:

$ openssl req -newkey rsa:2048 -keyout website.key -out website.csr
Generating a 2048 bit RSA private key
writing new private key to 'website.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:website@nick-andrew.net
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
$ cat website.csr | xclip -in

Make sure you enter website@nick-andrew.net in the Common Name field.

$ unzip website%40nick-andrew.net.zip                              
Archive:  website%40nick-andrew.net.zip                                                             
  inflating: 1_Intermediate.crt      
  inflating: 2_website@nick-andrew.net.crt

To import a certificate, Chrome needs a file in PKCS12 format. The magic command to make that is:

$ openssl pkcs12 -export -inkey website.key -in 2_website@nick-andrew.net.crt -out certificate.pkcs12 -name "StartSSL cert for website@nick-andrew.net" -certfile 1_Intermediate.crt
Enter pass phrase for website.key:
Enter Export Password:
Verifying - Enter Export Password:

Finally, you can import the certificate.pkcs12 file into Google Chrome. Go to chrome://settings and click on "Show advanced settings". Then click on "Manage certificates..."

Chrome Certificate manager

In the "Your Certificates" tab, select "Import..."

Select "certificate.pkcs12" and enter the Export password you used.

Enter your export password

At this point, Google Chrome has successfully imported the certificate, and it can be used to authenticate to StartSSL the next time you visit the site.

Certificate manager after installation