Difference between revisions of "TLS Certificates Primer"

From Aram's Wiki
Jump to: navigation, search
(Created page with "== Prerequisites == You will need to generate a private key, and a certificate signing request. DOMAIN=xw.is openssl genrsa -rand -genkey -out $DOMAIN.key 2048 openssl re...")
 
(Prepare certificates for use)
 
(One intermediate revision by the same user not shown)
Line 4: Line 4:
  
 
  DOMAIN=xw.is
 
  DOMAIN=xw.is
  openssl genrsa -rand -genkey -out $DOMAIN.key 2048
+
  openssl req -new -newkey rsa:2048 -nodes -keyout $DOMAIN.key -out $DOMAIN.csr
openssl req -new -key $DOMAIN.key -out $DOMAIN.csr
 
  
 
Send ''xw.is.csr'' to your certificate vendor and follow the instructions.
 
Send ''xw.is.csr'' to your certificate vendor and follow the instructions.
Line 11: Line 10:
 
== Prepare certificates for use ==
 
== Prepare certificates for use ==
  
Your certificate vendor will give you a bunch of files. You need to concatenate them in order to use them in your web server. Order is essential. For example, for Comodo:
+
Your certificate vendor will give you a bunch of files. You need to concatenate them in order to use them in your web server. Order is essential. For example, for DigiCert:
  
  cat xw_is.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt >../xw.is.crt
+
  cat xw_is.crt DigiCertCA.crt TrustedRoot.crt >../xw.is.crt
  
 
== Configure your web server ==
 
== Configure your web server ==

Latest revision as of 12:31, 1 August 2023

Prerequisites

You will need to generate a private key, and a certificate signing request.

DOMAIN=xw.is
openssl req -new -newkey rsa:2048 -nodes -keyout $DOMAIN.key -out $DOMAIN.csr

Send xw.is.csr to your certificate vendor and follow the instructions.

Prepare certificates for use

Your certificate vendor will give you a bunch of files. You need to concatenate them in order to use them in your web server. Order is essential. For example, for DigiCert:

cat xw_is.crt DigiCertCA.crt TrustedRoot.crt >../xw.is.crt

Configure your web server

Use xw.is.key and xw.is.crt in your web server. For example for nginx add this to your server block:

worker_processes 1;

events {
	worker_connections  1024;
}

http {
	server {
		listen 443;
		server_name xw.is;

		ssl on;
		ssl_certificate /tank/nginx/tls/xw.is.crt;
		ssl_certificate_key /tank/nginx/tls/xw.is.key;
		ssl_session_cache shared:SSL:1m;
		ssl_session_timeout 5m;

		ssl_ciphers HIGH:!aNULL:!MD5;
		ssl_prefer_server_ciphers on;

		location / {
			root /usr/local/www/nginx;
			index index.html index.htm;
		}
	}
}