TLS Certificates Primer

From Aram's Wiki
Jump to: navigation, search


You will need to generate a private key, and a certificate signing request.
openssl req -new -newkey rsa:2048 -nodes -keyout $DOMAIN.key -out $DOMAIN.csr

Send to your certificate vendor and follow the instructions.

Prepare certificates for use

Your certificate vendor will give you a bunch of files. You need to concatenate them in order to use them in your web server. Order is essential. For example, for DigiCert:

cat xw_is.crt DigiCertCA.crt TrustedRoot.crt >../

Configure your web server

Use and in your web server. For example for nginx add this to your server block:

worker_processes 1;

events {
	worker_connections  1024;

http {
	server {
		listen 443;

		ssl on;
		ssl_certificate /tank/nginx/tls/;
		ssl_certificate_key /tank/nginx/tls/;
		ssl_session_cache shared:SSL:1m;
		ssl_session_timeout 5m;

		ssl_ciphers HIGH:!aNULL:!MD5;
		ssl_prefer_server_ciphers on;

		location / {
			root /usr/local/www/nginx;
			index index.html index.htm;