TLS
TLS aka SSL is a cryptographic protocol to encrypt communication over networks.
Installation
1 |
|
Creation
Private key
A private key should be kept secret and secure.
Backup
You should create a backup of your private key, so that a new certificate can be created without problems in case of loss or relocation.
RSA
An RSA private key with a size of 4096 bits can be created this way.
1 |
|
Encryption strength
The minimum bit size for RSA keys should be 2048 (2021/06).
ECDSA
An ECDSA private key with the elliptic curve prime256v1 bits can be created this way.
1 |
|
CSR
Now the CSR needs to be generated1. Please enter the following line in the console.
1 |
|
Now you will be asked for some information, which you should provide truthfully.
1 2 3 4 5 6 7 8 9 |
|
The certificate is validated for the domain specified under the common name and is only valid for this address. However, a so-called wildcard certificate can also be issued by simply specifying an asterisk (*) instead of the subdomain (www is also just a subdomain). For example:
1 |
|
This certificate would then be valid for all subdomains. If you enter a password at A challenge password, Apache can only be started after entering the password after the certificate has been included.
One liner
The CSR information can be placed directly with -subj
.
1 |
|
Validate
You can check the contents of the CSR with the following command.
1 |
|
Official Certificate Authority
If the CSR contains the completely correct information, you can now pass it on to a certification authority.
Sign
If you do not need an official certificate e.g., for a development environment, you can also sign it yourself. Self-signed certificates generate a warning in most browsers. The visitor must add an exception to view the page encrypted.
This is how to self sign a certificate that is valid for one year.
1 |
|
Direct CSR
The CSR information can be placed directly into the certificate generation by using -subj
.
1 |
|
Additionally, the listed parameters can be added.
Parameter | Description |
---|---|
-sha512 |
Uses SHA512 instead of SHA256 as hash algorithm. |
-nodes |
Disables asking for a password. Useful for non-interactive generation. |
1 |
|
CA
Use this command to sign the certificate with your own Certificate Authority certificate.
1 |
|
Serial
The parameter CAcreateserial
creates a file to store the number of created certificates to use them in the serial number of the certificate to avoid duplicates. So the parameter CAcreateserial
is only valid for the first run to create the file. For all future certificate creations the parameter CAserial /path/to/serial
must be used instead.
1 |
|
Setup
It is assumed that a configuration for a (virtual) host already exists and that this host should now additionally be made accessible via TLS. All you have to do is copy the configuration file and change the port to 443
.
The asterisk can of course be replaced by an IP. Optionally, separate log files can be created for a better access overview.
NGINX
1 2 |
|
Reload NGINX configuration.
1 |
|
Apache
Now add the path to the private key, certificate, and enable TLS mode.
1 2 3 |
|
Finally, all that is left is to restart Apache or reload the configuration. This is done with the following command:
1 |
|
If the settings were not accepted, repeat the command, but replace reload with restart.
As a note, one IP is required per domain/certificate. A wildcard certificate is only valid for all subdomains of a domain.
DH parameter
To increase the security even more, the Diffie-Hellman parameters should be generated with a high encryption strength e.g., 4096
.
1 |
|
Ciphers
Without an DH parameter all DH parameter related ciphers can not be used.
NGINX
1 |
|
-
For self-signed certificates the CSR information can be combined with the certificate generation. ↩