Renewing StartSSL certificates

I switched all my websites to HTTPS around September 2013, when Eric Mill published a didactic post on his blog explaining how to setup HTTPS certificates on one's website for free with StartSSL. As others, I believe we need to make surveillance as expensive as possible. Making privacy the default on all my websites is a small contribution in this direction: for privacy not to be suspicious, privacy should be on by default over the Internet.

Doing the configuration is one thing. Later on comes the renewal of your certificates. At this point, having forgotten most of the procedure, I need to check out Eric Mill's post again to do it again. After a few iterations of this, I realized this step can be mostly automated, or at least computer-assisted, so I compiled the useful part into the following script:



if [ ! -f ${PRIVATE} ]; then
    openssl genrsa -aes256 -out ${PRIVATE} 4096

if [ ! -f ${DECRYPTED} ]; then
    openssl rsa -in ${PRIVATE} -out ${DECRYPTED}

if [ ! -f ${REQUEST} ]; then
    openssl req -new -sha256 -key ${DECRYPTED} -out ${REQUEST}

if [ ! -f ${CERTIFICATE} ]; then
    echo "Ready to send the certificate request:"
    echo ""
    cat ${REQUEST}
    echo ""
    echo "Write final certificate in ${CERTIFICATE}"
    echo "Final certificate ${CERTIFICATE} already exists"

At the end of their "Domain Validation" process, StartSSL will provide you a ZIP archive, containing itself a ZIP archive named, which contains the certificate (usually named 1_your-domain_bundle.crt). Copy this file as bundle.crt in the same directory as the script above. Finally, check that your nginx configuration uses the correct file names. With the settings above, it should look like:

server {
    listen 443 ssl;
    server_name your-domain;
    ssl_certificate /path/to/script/directory/bundle.crt;
    ssl_certificate_key /path/to/script/directory/decrypted.key;

Be sure to restart the server (sudo service nginx restart) to complete the key renewal.