TLS

TLS aka SSL is a cryptographic protocol to encrypt communication over networks.

Installation

1	`aptitude install openssl`

Creation

Private key

A private key should be kept secret and secure.

Backup

You should create a backup of your private key, so that a new certificate can be created without problems in case of loss or relocation.

RSA

An RSA private key with a size of 4096 bits can be created this way.

1	`openssl genrsa -out /path/to/key 4096`

Encryption strength

The minimum bit size for RSA keys should be 2048 (2021/06).

ECDSA

An ECDSA private key with the elliptic curve prime256v1 bits can be created this way.

1	`openssl ecparam -genkey -name prime256v1 -out /path/to/key`

CSR

Now the CSR needs to be generated¹. Please enter the following line in the console.

1	`openssl req -new -key /path/to/key -out /path/to/csr`

Now you will be asked for some information, which you should provide truthfully.

Country Name (2 letter code) [AU]: (two letter country code, e.g. DE for Germany)
State or Province Name (full name) [Some-State]: (Full name of the state, e.g. Schleswig-Holstein)
Locality Name (eg, city) []: (Full name of the city, e.g. Berlin)
Organization Name (eg, company) [Internet Widgits Pty Ltd]: (Full company/personal name)
Organizational Unit Name (eg, section) []: (Full department/division name)
Common Name (eg, YOUR name) []: (Full domain name, e.g. www.example.com, subdomain.example.com)
Email Address []: (Valid email address)
A challenge password []: (Optional password)
An optional company name []: (Optional: Additional company/personal name)

The certificate is validated for the domain specified under the common name and is only valid for this address. However, a so-called wildcard certificate can also be issued by simply specifying an asterisk (*) instead of the subdomain (www is also just a subdomain). For example:

1	`Common Name (eg, YOUR name) []: *.example.com`

This certificate would then be valid for all subdomains. If you enter a password at A challenge password, Apache can only be started after entering the password after the certificate has been included.

One liner

The CSR information can be placed directly with -subj.

1	`openssl req -new -key /path/to/key -out /path/to/csr -subj "/C=country/ST=state/L=city/O=organization/CN=domain"`

Validate

You can check the contents of the CSR with the following command.

1	`openssl req -noout -text -in /path/to/csr`

Official Certificate Authority

If the CSR contains the completely correct information, you can now pass it on to a certification authority.

Sign

If you do not need an official certificate e.g., for a development environment, you can also sign it yourself. Self-signed certificates generate a warning in most browsers. The visitor must add an exception to view the page encrypted.

This is how to self sign a certificate that is valid for one year.

1	`openssl req -x509 -new -key /path/to/key -out /path/to/certificate -days 365 -in path/to/csr`

Direct CSR

The CSR information can be placed directly into the certificate generation by using -subj.

1	`openssl req -x509 -new -key /path/to/key -out /path/to/certificate -days 365 -subj "/C=country/ST=state/L=city/O=organization/CN=domain"`

Additionally, the listed parameters can be added.

Parameter	Description
`-sha512`	Uses SHA512 instead of SHA256 as hash algorithm.
`-nodes`	Disables asking for a password. Useful for non-interactive generation.

1	`openssl req -x509 -new -sha512 -nodes -key /path/to/key -out /path/to/certificate -days 365 -subj "/C=country/ST=state/L=city/O=organization/CN=domain"`

CA

Use this command to sign the certificate with your own Certificate Authority certificate.

1	`openssl x509 -req -in /path/to/csr -CA /path/to/ca-certificate -CAkey /path/to/ca-key -CAcreateserial -out /path/to/certificate -days 365`

Serial

The parameter CAcreateserial creates a file to store the number of created certificates to use them in the serial number of the certificate to avoid duplicates. So the parameter CAcreateserial is only valid for the first run to create the file. For all future certificate creations the parameter CAserial /path/to/serial must be used instead.

1	`openssl x509 -req -in path/to/csr -CA path/to/ca-certificate -CAkey path/to/ca-key -CAserial /path/to/serial -out /path/to/certificate -days 365`

Setup

It is assumed that a configuration for a (virtual) host already exists and that this host should now additionally be made accessible via TLS. All you have to do is copy the configuration file and change the port to 443.

The asterisk can of course be replaced by an IP. Optionally, separate log files can be created for a better access overview.

NGINX

1 2	`ssl_certificate /path/to/cert.pem; ssl_certificate_key /path/to/key.pem;`

Reload NGINX configuration.

1	`service nginx reload`

Apache

Now add the path to the private key, certificate, and enable TLS mode.

1
2
3

SSLEngine on
SSLCertificateKeyFile /path/to/private-key/filename.key
SSLCertificateFile /path/to/certificate/filename.crt

Finally, all that is left is to restart Apache or reload the configuration. This is done with the following command:

1	`/etc/init.d/apache2 reload`

If the settings were not accepted, repeat the command, but replace reload with restart.

As a note, one IP is required per domain/certificate. A wildcard certificate is only valid for all subdomains of a domain.

DH parameter

To increase the security even more, the Diffie-Hellman parameters should be generated with a high encryption strength e.g., 4096.

1	`openssl dhparam -out /path/to/dhparam.pem 4096`

Ciphers

Without an DH parameter all DH parameter related ciphers can not be used.

NGINX

1	`ssl_dhparam /path/to/dhparam.pem;`

For self-signed certificates the CSR information can be combined with the certificate generation. ↩