Good point. I'd seen StartSSL before, but had forgotten about them. They're available now, too, while Let's Encrypt is forecasting next month. I certainly wouldn't call them vaporware at this point, but that doesn't change the fact that they're not available today. However, StartSSL doesn't support multiple domains on their free certificates, which would make them a no-go for me.
As I think about it, though, I'm thinking that "free certificates" is among the less-remarkable features here. Perhaps more remarkable is how their tool automates the process--it parses your httpd.conf to determine what domains you have running, generates the private key locally, generates the CSR, makes the request, validates domain control, receives the issued certificate, installs it, and configures your web server to use it. All of this takes about a minute. It also automatically handles renewals of that certificate, and they support revocation as well, which StartSSL doesn't.
In short, they want to see HTTPS replace HTTP as broadly as possible, and they seem to be trying to make it as simple as possible for server admins to make that happen.
SME has the configuration template system, so the configuration changes made by the tool wouldn't stick (and might not even work at all). But the tool also has the ability to create the certs without making the server config changes. I'd think that doing that, and setting the appropriate config keys to the location of the new key and cert, would be a suitable 80-90% solution (and shouldn't require any development on SME server at all). The 100% solution would be to have a button or checkbox in the server manager to "Generate SSL Certificates" that would run the whole process, but of course that would take a bit of work on our end.
236 Replies
63432 Views