I just added TLS to the blog, since I was renewing another certificate. The last couple of years I have deployed quite a few certificates, and this post is really just a simple link collection.

CSR all the way

When getting a certificate please generate a certificate signing request (CSR). This way you keep you private key private, locally on your server or machine.

DigiCert has a nice tool that helps you generate a CSR. Although the tool is nice you will probably need to add -sha256 to the options. Another thing to be aware of is special characters in e.g. an A/S you need to escape it as A\/S.

Another way is to do it interactively by only supplying openssl with:

openssl req -new -sha256 -newkey rsa:2048 -nodes -keyout www_casadelkrogh_dk.key -out www_casadelkrogh_dk.csr

SSL shopper has a nice overview of useful openssl commands.

Verify your CSR

Before sending off your CSR you should verify the information in it:

openssl req -text -noout -verify -in www_casadelkrogh_dk.csr

Checklist:

  • The information
  • Check the CN matches the desired domain
  • Check that the Signature Algorithm is sha256

Choosing a CA

Next you need to choose your certificate authority (CA). I have used StartSSL for a number of years, but following their acquisition they lost a lot of trust. In July 2017 StartSSL was removed from google chrome, and other browsers followed soon there after.

These days I have switched to Let’s Encrypt which is also free. There are plenty of guides out there for setting up Let’s Encrypt :) And a great thing is that it has auto renewal built in.

Intermediate certificates

When you get your certificate from your CA you will probably get an intermediate certificate as well.

The order to add certificates (and the key if using e.g. HA proxy) is from most private to most public.

cat www_casadelkrogh_dk.crt intermediate.pem > www_casadelkrogh_dk-bundle.crt

Configuring nginx

There have been a suite of bugs and vulnerabilities with regards to SSL and cipher suites, such as Heartbleed, Logjam and BEAST.

A nice resource for configuring your server is the Mozilla SSL Configuration Generator It contains configuration examples and cipher lists that are up to date.

However be aware that turning on Strict-Transport-Security means that you will always need to run https, since browsers will refuse to use normal http for your site.

Personally my nginx config consists of a share config:

    #ssl_base.conf
    # Conf from https://cipherli.st
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:SSL:10m;
    ssl_ecdh_curve secp384r1;
    ssl_dhparam /etc/ssl/dhparams.pem;

Then I have the following config:

    server {
      listen 80;
      server_name www.casadelkrogh.dk casadelkrogh.dk;
      rewrite ^(.*) https://$host$1 permanent;
    }
    
    server {
      listen 443;
      server_name www.casadelkrogh.dk casadelkrogh.dk;

      include ssl_base.conf;
      ssl_certificate /etc/ssl/certs/www.casadelkrogh.dk_bundle.crt;
      ssl_certificate_key /etc/ssl/certs/www_casadelkrogh_dk.key;
    
      # other conf...
    }

Check your setup

Now you see that it works in your browser and all should be dandy. Even so please check if the rest of the internet agrees with you :)

SSL labs has a nice tool for checking if you have setup https properly, even if it is rather slow.

Another alternative that is often faster is https://ssldecoder.org.

Multiple CNs

If you need to add multiple addresses to your certificate you can do that via the -subj that the DigiCert tool helps you create. You simply just add multiple CNs

openssl req -new -key www_casadelkrogh_dk.key -out www_casadelkrogh_dk.csr -subj "/C=DK/ST=/L=/O=/CN=www.casadelkrogh.dk/CN=subdomain2.casadelkrogh.dk" -sha256