TLS Certificates Primer

From Aram's Wiki
Jump to: navigation, search

Prerequisites

You will need to generate a private key, and a certificate signing request.

DOMAIN=xw.is
openssl req -new -newkey rsa:2048 -nodes -keyout $DOMAIN.key -out $DOMAIN.csr

Send xw.is.csr to your certificate vendor and follow the instructions.

Prepare certificates for use

Your certificate vendor will give you a bunch of files. You need to concatenate them in order to use them in your web server. Order is essential. For example, for DigiCert:

cat xw_is.crt DigiCertCA.crt TrustedRoot.crt >../xw.is.crt

Configure your web server

Use xw.is.key and xw.is.crt in your web server. For example for nginx add this to your server block:

worker_processes 1;

events {
	worker_connections  1024;
}

http {
	server {
		listen 443;
		server_name xw.is;

		ssl on;
		ssl_certificate /tank/nginx/tls/xw.is.crt;
		ssl_certificate_key /tank/nginx/tls/xw.is.key;
		ssl_session_cache shared:SSL:1m;
		ssl_session_timeout 5m;

		ssl_ciphers HIGH:!aNULL:!MD5;
		ssl_prefer_server_ciphers on;

		location / {
			root /usr/local/www/nginx;
			index index.html index.htm;
		}
	}
}