Difference between revisions of "TLS Certificates Primer"

From Aram's Wiki
Jump to: navigation, search
(Created page with "== Prerequisites == You will need to generate a private key, and a certificate signing request. DOMAIN=xw.is openssl genrsa -rand -genkey -out $DOMAIN.key 2048 openssl re...")
 
(Prerequisites)
 
Line 4: Line 4:
  
 
  DOMAIN=xw.is
 
  DOMAIN=xw.is
  openssl genrsa -rand -genkey -out $DOMAIN.key 2048
+
  openssl req -new -newkey rsa:2048 -nodes -keyout $DOMAIN.key -out $DOMAIN.csr
openssl req -new -key $DOMAIN.key -out $DOMAIN.csr
 
  
 
Send ''xw.is.csr'' to your certificate vendor and follow the instructions.
 
Send ''xw.is.csr'' to your certificate vendor and follow the instructions.

Latest revision as of 12:21, 10 February 2020

Prerequisites

You will need to generate a private key, and a certificate signing request.

DOMAIN=xw.is
openssl req -new -newkey rsa:2048 -nodes -keyout $DOMAIN.key -out $DOMAIN.csr

Send xw.is.csr to your certificate vendor and follow the instructions.

Prepare certificates for use

Your certificate vendor will give you a bunch of files. You need to concatenate them in order to use them in your web server. Order is essential. For example, for Comodo:

cat xw_is.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt >../xw.is.crt

Configure your web server

Use xw.is.key and xw.is.crt in your web server. For example for nginx add this to your server block:

worker_processes 1;

events {
	worker_connections  1024;
}

http {
	server {
		listen 443;
		server_name xw.is;

		ssl on;
		ssl_certificate /tank/nginx/tls/xw.is.crt;
		ssl_certificate_key /tank/nginx/tls/xw.is.key;
		ssl_session_cache shared:SSL:1m;
		ssl_session_timeout 5m;

		ssl_ciphers HIGH:!aNULL:!MD5;
		ssl_prefer_server_ciphers on;

		location / {
			root /usr/local/www/nginx;
			index index.html index.htm;
		}
	}
}