On a small non-commercial website I am using a no-cost Class 1 cert from Start SSL. There is no sensitive data going over the wire, but I do feel that I would like to provide at least a minimum of privacy to whoever browses to the site. When visiting the site in Firefox one receives the "Untrusted cert" warning. Here is an example using wget:
$ wget https://example.com/images/dog.jpg
--2013-08-09 15:21:10-- https://example.com/images/dog.jpg
Resolving example.com (example.com)... 54.43.17.16
Connecting to example.com (example.com)|54.43.17.16|:443... connected.
ERROR: The certificate of `example.com' is not trusted.
ERROR: The certificate of `example.com' hasn't got a known issuer.
The FAQ entry from StartSSL states that to avoid the warning, one must install the intermediate CA certificate to the browser. It is a bit unreasonable to expect all website visitors to do that!
I don't mind installing a cert from a larger company, but while researching the situation I find that the larger companies have the same issue. Another fine ServerFault question mentions that the server admin should install an intermediate certificate, but I am not sure that an intermediate certificate exists for Start SSL. Before moving to another company, how would I know if they have all the proper intermediate certificates that we would need? As the previous two linked questions demonstrate, even going with Verisign or GoDaddy may not resolve the issue.
This is a conventional LAMP stack (Ubuntu Server 12.04, Apache 2.2) running on Amazon Web Services.
Best Answer
The installation instructions not only refer to the intermediate certificate file, but provide a link to download it.