Introduction

Since many years StartSSL offers class 1 domain validated SSL certificates for free, see the tutorials on konklone.com or digitalocean.com. The free certificates from StartSSL are valid for one year, they may only contain one domain and revocation of the certificate costs 25$ (this was highly criticised during the Heartbleed bug).

Since a few months another way of getting a SSL certificate for free is using a free CloudFlare CDN account (details).

Starting in about mid 2015 there will be another option for free SSL certificates with automated verification, renewal and installation called Let's Encrypt.

But for now there is another option for obtaining a free SSL certificate: Chinese SSL provider WoSign offers free domain validated certificates. In comparison to StartSSL the certificate is valid for 2 years, they may contain up to 100 domains and revocation is free. Currently the website is only available in Chinese (they plan to start an English website in Q2/2015). With the Google Chrome webbrowser it is possible to use the build in "translate" option to easily understand the form fields. The WoSign root CA certificate is included in Mozilla Firefox since version 32 (NSS 3.16.3), in Microsoft Windows since September 2014 but not yet in Apple MacOSi (they applied for being included int the Apple root certificate store and since Mozilla and Microsoft already included them the chances are high they will be included in the future). In order to still work fine on older clients the WoSign root CA is cross-signed with the StartCom CA which makes it trusted in almost all browsers of the last >10 years.

I think it is important to state that you DO NOT have to trust this Chinese company for your SSL encryption. They will not know the SSL keys, you only supply the CSR which only includes your PUBLIC SSL key. They won't be able to decrypt your traffic.

Create user account

Visit https://login.wosign.com/reg.html and enter an email address, choose a password (and confirm), enter the captcha code and accept the terms and conditions:
WoSign Signup


On the next page they tell you that you got a confirmation email and you have to click on that confirmation link:
WoSign Signup


You'll receive an email with a subject like "Please activate your WoSign account, 2015-01-18 23:02(GMT+8:00)" sent from cmsmaster@wosign.com immediately. If you don't see it check your spam folder. You have to click the link to confirm your email address.
WoSign Signup


In the next step they offer a SSL client certificate (just as StartSSL does as well). You have to save the file and import it in your browser by clicking on it. Since this step is different for each browser I didn't make screenshots. Basically you just have to click "next" a few times. The password of the SSL client cert is the one you selected in the first step.i
WoSign Signup


Now it is possible to login on https://login.wosign.com/login.html using your just imported SSL client cert and password.
WoSign Signup


Now it is possible to login on https://login.wosign.com/login.html using your just imported SSL client cert and password.
WoSign Signup


Order a free SSL certificate

Now that you created your account on wosign.com you can order your first free SSL certificate. Open https://buy.wosign.com/DVSSL.html and click on the green button to add the free domain validated SSL certificate to your shopping cart.
WoSign Signup


On the next page click again on the green button to open your shopping cart.
WoSign Signup


Review your order, if needed you can adjust the amount of domains you want to have included in the certificate. Again click on the green button to continue.
WoSign Signup


Since the domain validated SSL certificate is free you don't have to enter any payment details. Just click on the green button to continue again.
WoSign Signup


Now you should see the confirmation that your order was successful. Click on the "orderlist" to see the order and add information needed for the certificate.
WoSign Signup


On the orderlist click the "play button" to add domain information
WoSign Signup

In the first textbox add the domains you want to include in the SSL certificate. One domain per line. Only mark the next checkbox if you DO NOT want to include the www subdomain in the certificate. As a language you can choose the second option "English" and for the algorithm you should select SHA2. Now the most difficult part: In the name textfield you have to enter 2-5 Chinese characters. You can visit http://www.chinese-tools.com/names or http://www.chinesetools.eu/chinesename/ to generate your Chinese Name and copy&paste the characters into the textfield. The telephone number has to be in the specified format.
WoSign Signup

Now you can choose a way to validate your ownership of the domain(s) you want to include in the certificate. The first option is sending an email to webmaster, postmaster, hostmaster, admin or administrator @domainname. The second option is downloading a HTML file and place it into the web root of the domain you want to include. For example.com this would be http://example.com/example.com.html Make sure you do not redirect all requests to the www subdomain.
WoSign Signup

On the next page you have to select the server software where you want to use the SSL certificate. I think it doesn't matter what you choose. In the next step you can choose the option with the happy smiley face to generate the SSL key and CSR on the server of WoSign. It is never a good idea to let some third party create your SSL key so you should definitely choose the second option with the unhappy smiley. Login to your webserver via SSH and create a new SSL key and CSR like this:< br /> openssl req -out example.com.csr -new -sha256 -newkey rsa:2048 -nodes -keyout example.com.key
Set the "common name" to the domain you want to use. With "cat example.com.csr" you can see the generated CSR. Paste the complete content including the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST lines into the textfield. With a click on "CSR" you can have the website try to decrypt the CSR. It will always show "sha1", even if you created a "sha256" CSR. Click the third button to proceed.
WoSign Signup

On the next page confirm again the domain name, the validity, enter another captcha, accept the terms and conditions and confirm the order.
WoSign Signup

You should see a notice about a successful validation stating a date when your SSL certificate is expected to be ready and again your emailaddress where they will send the certificate. Depending how busy they are this may take something between 15 minutes and a few hours (apparently they issue the certs manually during Chinese business hours only).
WoSign Signup

When you receive the email with a subject like "Your WoSign SSL Certificate is ready for collection! 2015-01-18 22:22(GMT+08:00)" you just have to click the link to download your certificate. The zip file (around 24kb) contains other ZIP files named "for Apache.zip", "for IIS.zip", "for Nginx.zip" and "for Other Server.zip". Sadly, as with many other SSL CAs all the provided certificate bundles have issues. They include the StartCom root certificate which is never needed and some even contain wrong intermediate certificates.
The correct order of the certificates is as following:
  1. Your certificate "example.com.crt" from the "for Other Server.zip" or "for Apache.zip" files
  2. WoSign CA Free SSL Certificate G2: https://www.wosign.com/root/ca1_dv_free_2.crt
  3. Certification Authority of WoSign (Cross-signed by StartCom): https://www.wosign.com/root/ca1_xs_sc_new.crt