Best Option: No-cost certificate from StartSSL

Updating page. Changes to the process.

When you are ready to get your Free SSL Certificate, to include with Postfix, you need StartSSL. Nice one.

Now go to StartSSL and sign up for an account. You might keep this page open in another window…


You will need now to create your own openssl signing certificate. The instructions are on the site.

On the StartSSL site. you first off need to Validate an email address so you can log in securely. This means they will send you a validation widget, which installs on your browser. It’s ok, it’s very secure.

Step 1. Use the “Validation Wizard” to validate your email address first. Within the Validation Wizard, select

. email validation

Go through this process, and make sure you add it to your browser as they advise, that way, you are recognised when you go back to them, as you will have to. It’s an easy process, well documented. Make copies of EVERYTHING. When you little validation file downloads, just double click on it, to install it.

Go back to the main menu.

Step 2. Then use the validation wizard again to validate the domain you want to use for your email server. Ok? Done? Right. select Validate domain. and type in your domain name. ie: in my case. You can then add like, and as you like. Verify when finished entering the names.

Step 3. This step is slightly more tricky. Use the “Certificates Wizard” to select and create a “Web Server SSL/TLS certificate“.


You will need now to create your own openssl signing certificate. Do this in a directory on your computer where it is easy to find. Be warned. It can get confusing.

The BEST option is to use openssl if you have it installed, with

openssl req -newkey rsa:2048 -keyout yourname.key -out yourname.csr

or, in the case of StartSSL and a PC, you can download a little wizard program that will do it for you. Or help you at least. Take your time, and follow the steps. Save the resulting files in the directory you created.

you will end up with – to start with – two files. For example


Now, Post the contents of the CSR file into the StartSSL Wizard where it askes you to.

open the csr file with a pure text editor. vi, or TextMate. NOT a wordproscessor. Copy the ocntents and paste into the the area specified.

You can then Download the certificates directly, or from the list in the area indicated.

They come in zip files, open, and you will see the directories. You need the ApacheServer one if you are on OSX…

Choose your email domain, following the prompts and if all goes well receive your certificate files. Move that file to /etc/ssl/certs/


Now, you have to open the key file that you first created, using openssl, with a text editor, it’s your private key , use vi in Unix, and copy the entire block of code. Start to Finish.

Go to StartSSL Tools, Decrypt.

You paste that copied text into the field waiting for you on the StartSSL interface.

Wait a moment, and it decodes it. Puts in in the lower window.

Copy that text in its entirety to the clipboard.

Open a document in Terminal with vi, and paste the decrypted text into the file. Save it as

website-name.key ( ie;

THIS is now your private key. Not the original, as it has your password in it as well, and it won’t decode for the web browsers.

so in short –

Decode the key, and it will show a second box, with the text in it. Copy that in it’s entirety, and paste that into a file that you will put in your /etc/ssl/private/ file

You can’t use the ORIGINAL – because it’s encoded.

you should be good to go.

Remember this, you have to do it every year.



Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA * Time limit is exhausted. Please reload CAPTCHA.