Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Free Chinese 2 year SSL certificate: DV KuaiSSL by WoSign.com
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Free Chinese 2 year SSL certificate: DV KuaiSSL by WoSign.com

ciderocidero Member
edited January 2015 in General

Hi,

this is already discussed in the thread "Who are the best free SSL providers?" but since the topic is misleading (many won't read it) and this is huge news in my opinion I'd like to point it out in this separate thread: The Chinese CA WoSign provides free domain validated SSL certificates. Unlike StartSSL these are valid for 2 years and it is possible to include up to 100 domains in one certificate (SAN). Some information in English is available here: https://www.wosign.com/english/DV_KuaiSSL.htm

As of today the order process is only available in Chinese. But using Google Chrome and the translate feature it should be quite easy:

  • first register your account at https://login.wosign.com/reg.html. Confirm your email address with the link in the email they send to you. Download the SSL client certificate (just like during the StartSSL registration) and import it into your browser.
  • visit https://buy.wosign.com/DVSSL.html and add the SSL certificate in your shopping cart. Click a few times on "next".
  • on the order list at https://buy.wosign.com/memberuser/OrderList.html click the play button and enter the domain name(s) you want the SSL cert for. Verify the domain(s) either via email or by putting a HTML file they provide on your server.
  • In the next step create a CSR on your server and paste the contents in the form on the website.
  • Next you will recieve an email with a link to a ZIP file containing your certificate. The correct order of the certificates is like this:

your-domain.com.crt -> ca1_dv_free_2.crt -> ca1_xs_sc_new.crt

If you need more help check out my step-by-step tutorial with translated screenshots: https://www.checkmyping.com/

It is one of my spare domains and I'd like to use it as a "showcase" for the WoSign certs. To see an example of such a free SSL certificate visit that website or check it with SSLlabs.com: https://www.ssllabs.com/ssltest/analyze.html?d=checkmyping.com

«1345678

Comments

  • You can display the crt on their website before you receive the email.

  • rm_rm_ IPv6 Advocate, Veteran

    said: Download the SSL client certificate (just like during the StartSSL registration) and import it into your browser.

    But unlike with StartSSL you don't need to bother with this b/s whatsoever, and just use login/password for authentication to your account.

  • rm_ said: But unlike with StartSSL you don't need to bother with this b/s whatsoever, and just use login/password for authentication to your account.

    Yep, just use the regular account login, not the BS cert login.

  • rm_rm_ IPv6 Advocate, Veteran
    edited January 2015

    One more note (this is not fully confirmed yet), you need to pick "Certificate Language: Chinese", else you will get a yellow warning icon on the address bar lock in Chrome 39, due to their English certificate chain ("Root 1" from http://www.wosign.com/English/root.htm) having been only signed with SHA1 certs.

    See https://romanrm.hk/ for an example of installed English language cert. upd: Switched to a Chinese one.

    Thanked by 1Ndha
  • .ovh and .tf domains are rejected.

  • NomadNomad Member
    edited January 2015

    @rm_ said:
    One more note (this is not fully confirmed yet), you need to pick "Certificate Language: Chinese", else you will get a yellow warning icon on the address bar lock in Chrome 39, due to their English certificate chain ("Root 1" from http://www.wosign.com/English/root.htm) having been only signed with SHA1 certs.

    See https://romanrm.hk/ for an example of installed English language cert.

    Actually, if you edit the certificate file you get the green icon.
    The only problem with the English certificate is that since one of the intermediate certificates turned out to be SHA1, you can't get an A+ on SSL checks.

    Other than that, it works fine!

    Check my site: https://wks.golgeli.net/

    Here is what I used with my nginx to make it work just fine:

    You MUST ADD your domains crt file on top of this configuration and create a bundle that way.

  • Keith said: .ovh and .tf domains are rejected.

    I'm not surprised about .ovh (they probably haven't bothered to keep up with all the new TLDs), but it's weird that they don't support .tf.

  • NomadNomad Member
    edited January 2015

    Also,

    today I sent an email to them asking whether or not they'll update that certificate to SHA2, I just received an answer to that:

    Dear ,

     Our crossroot will  update to sha2.
    
     Replacement time has not been determined.
    
  • rm_rm_ IPv6 Advocate, Veteran
    edited January 2015

    Does not work in Iceweasel (based on Firefox 24.8):

    What seems to be working with a higher degree of success for me, is to use a Chinese language cert (just got mine) and combine a bundle like this... see below for an update.

    The result is: https://aux.romanrm.hk/. Chrome 39 is happy (green icon), Iceweasel is happy, even Internet Explorer doesn't complain, but for some reason still getting the "Untrusted connection" error in Pale Moon 25 (Firefox-based) on Windows. update below.

  • Got another email from WoSign:

    Thanks for your attention.
    we are so glad that you choose our SSl ,but for the moment, our root certificate can not inssue SSl certification in SHA2,we are now trying to solve it,maybe in the recently months we can manage to do that. anyway we are still hoping we can cooperate more and comminucate immediately.
    
    
    Best Regards,
    

    @rm_ Check this: http://browsershots.org/https://aux.romanrm.hk/
    Yours seem quite OK actually...

    Mine on the other hand even with your setup is the same.
    I think it might be related to the ssl ciphers and all. Maybe my problem is due to my nginx config :D

  • DetruireDetruire Member
    edited January 2015

    rm_ said: The result is: https://aux.romanrm.hk/. Chrome 39 is happy (green icon), Iceweasel is happy, even Internet Explorer doesn't complain, but for some reason still getting the "Untrusted connection" error in Pale Moon 25 (Firefox-based) on Windows.

    Chrome 42 isn't (no green icon.)

    EDIT: But it is for https://wks.golgeli.net

    EDIT2: Hard refresh and it's now showing green padlock, although Chrome does say that the connection is AES_256_CBC with SHA1 or message authentication and ECDHE_RSA for key exchange.

  • What am I doing wrong? After the last step of confirmation I keep on getting following:

    提交请求中,包含非法数据

    Any clues?

  • zxbzxb Member

    A word of warning: don't put too much trust on Chinese CAs.

    Thanked by 1NeoGen
  • rm_rm_ IPv6 Advocate, Veteran
    edited January 2015

    @Nomad Finally it works for me in all browsers I tried (Pale Moon too). The winning combination is:

    curl -s http://www.wosign.com/root/startcom.crt \
    http://www.wosign.com/root/ca2_xs_sc_new.crt \
    http://www.wosign.com/root/WS_CA2_NEW.CRT \
    http://www.wosign.com/root/ca2_dv_free_2.crt > wosign_ca2.pem

    zxb said: A word of warning: don't put too much trust on Chinese CAs.

    Your browser already "puts trust" in WoSign; or did you actually edit its certificate settings to not accept their root certs?

    As for the general practice, of course generate your own CSR and not let them have your private key. But even if they had it, the possibility of the Chinese of all people, doing something nefarious (and making any practical sense) with my SSL certs, is rather remote. In fact I would trust them more than NSA or Google, but again, there is no reason to "trust", you just use your own CSR and that's it.

  • rm_rm_ IPv6 Advocate, Veteran
    edited January 2015

    Detruire said: Chrome 42 isn't (no green icon.)

    EDIT2: Hard refresh and it's now showing green padlock, although Chrome does say that the connection is AES_256_CBC with SHA1 or message authentication and ECDHE_RSA for key exchange.

    Now switched my main site to it, try https://romanrm.net/ removed for now.

    "SHA1 for message authentication" is actually okay with Chrome, it's SHA1 for certificates that they want to eliminate.

  • @rm_
    Don't you use any ssl ciphers?
    I do and I think that's why mine is not supported on all browsers.
    Even when I use the same certificates due to our config some stuff are different...

  • rm_rm_ IPv6 Advocate, Veteran

    Nomad said: Don't you use any ssl ciphers? I do and I think that's why mine is not supported on all browsers. Even when I use the same certificates due to our config some stuff are different...

    The problem with yours seems to be certificate related: "wks.golgeli.net uses an invalid security certificate. The certificate is not trusted because the issuer certificate is not trusted. (Error code: sec_error_untrusted_issuer)".

    My cipher list in Lighttpd is "ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-SHA", if that helps.

  • DetruireDetruire Member
    edited January 2015

    rm_ said: Now switched my main site to it, try https://romanrm.net/

    "SHA1 for message authentication" is actually okay with Chrome, it's SHA1 for certificates that they want to eliminate.

    Tried both sites on a different computer (also with the latest Chrome Canary), and neither shows the padlock. The "obsolete cryptography" error is the only obvious one.

  • Mahfuz_SS_EHLMahfuz_SS_EHL Host Rep, Veteran

    Everything is good, just the SHA1 Signature.

  • rm_rm_ IPv6 Advocate, Veteran

    Detruire said: neither shows the padlock

    So it's just address bar without a padlock? Can you screen-shot how it looks?
    The initial problem was that Chrome was showing a padlock but with a yellow triangle ("warning") on top of it. Which is IMO much worse than none at all.

  • Anyone using IIS and get green on Chrome?

    I got both Chinese and English cert, but both show yellow triangle on Chrome 39.

  • rm_ said: So it's just address bar without a padlock? Can you screen-shot how it looks?

    The initial problem was that Chrome was showing a padlock but with a yellow triangle ("warning") on top of it. Which is IMO much worse than none at all.

    Yeah, no padlock.

    Thanked by 1rm_
  • I found out that it's behavior of Chrome on Android, even https://romanrm.net/ has yellow warning lock.

  • rm_rm_ IPv6 Advocate, Veteran
    edited January 2015

    Green lock icon on Chrome 39 for Windows.

    Thanked by 1comXyz
  • DetruireDetruire Member
    edited January 2015

    That shows with a green padlock. EDIT: 42.0.2280.2 canary.

    Thanked by 1comXyz
  • Maybe some browsers are not yet aware of that Certificate Authority :-)

  • All yellow on Chrome (Android) :/

  • ReetusReetus Member
    edited January 2015

    Edit, Android chrome suddenly hates it with ERR_CERT_AUTHORITY_INVALID

    I give up for now.

  • rm_rm_ IPv6 Advocate, Veteran
    edited January 2015

    Reetus said: initially it wasn't but SSLLabs showed multiple trusted paths

    This is normal if you want it to open both in Chrome 39 with the green icon, and in old browsers such as Firefox 25 (at all).

    so I recombined with the right combo (it didn't have the StartSSL Root), but root is SHA1, intermediate isn't.

    Cross-signed cert ("WoSign CA" cert issued by StartCom) is SHA1. The trick with Chrome is that it doesn't need/use it. But for other browsers it's very much needed and must be present (hence your multiple trusted paths).

    From what I can tell it is impossible to get an A+ on SSL Labs with their certs. The best we can strive for, is just a site loading properly in all browsers, and no yellow warning in Chrome Desktop.

    @Reetus Can you post your actual URL, I tried https://rss.slackprojects.org/, but it's currently giving a wrong cert for the "jaws" hostname.

    P.S.: installed another copy of Chrome 39 on a different computer, and it's giving yellow warnings both on all my sites, and on @comXyz https://comxyz.com/. D'oh!! Looks like Chrome uses certificates from the OS, and on that PC the OS is Windows 7 without service packs. Maybe it's a bit too old.

    I think I will return to StartSSL certs for my main sites for now, and hope the WoSign CA in the coming 10 months to their expiration gets around to making proper SHA2 certs :)

Sign In or Register to comment.