Generate an SSL/TLS key, which will be used to actually encrypt traffic.
DOMAIN=nntp.za3k.com openssl genrsa -out ${DOMAIN}.key 4096 chmod 700 ${DOMAIN}.keyGenerate a Certificate Signing Request, which is sent to your authentication provider. The details here will have to match the details they have on file (for StartSSL, just the domain name).
# -subj "/C=US/ST=/L=/O=/CN=${DOMAIN}" can be omitted to fill in custom identification details # -sha512 is the hash of your key used for identification. This was the reasonable option in Oct 2014. It isn't supported by IE6 openssl req -new -key ${DOMAIN}.key -out ${DOMAIN}.csr -subj "/C=US/ST=/L=/O=/CN=${DOMAIN}" -sha512Submit your Certificate Signing Request to your authentication provider. Assuming the signing request details match whatever they know about you, they’ll return you a certificate. You should also make sure to grab any intermediate and root certificates here.
echo "Saved certificate" > ${DOMAIN}.crt wget https://www.startssl.com/certs/sca.server1.crt https://www.startssl.com/certs/ca.crt # Intermediate and root certificate for StartSSLCombine the chain of trust (key, CSR, certificate, intermediate certificates(s), root certificate) into a single file with concatenation. Leaving out the key will give you a combined certificate of trust for the key, which you may need for other applications.
cat ${DOMAIN}.crt sca.server1.crt >${DOMAIN}.pem # Main cert cat ${DOMAIN}.key ${DOMAIN}.crt sca.server1.crt ca.crt >${DOMAIN}.full.pem chmod 700 ${DOMAIN}.full.pem
See also: https://github.com/Gordin/StartSSL_API