Roel's Praathoek - Configure your Protected Webserve

Website certificates, how they work

Certificates are used to secure connections for your website (or even other connections) by encrypting your network traphic. They where originally called SSL certificates, but the assiociated SSL (Secure Sockets Layer) protocols are not considers safe anymore. SSL is now replaced by TLS (Transport Layer Security) but the use of certificates containing public and/or private encription keys is largly the same. Note that the cryptography used to protect the certificates did advange too.

Certificates contain the 'encryption keys' to establish encrypted connections. For https, your webserver needs to have 'the private key' and the webbrowser needs to have 'the public key'. Your browser can get the website's public key from your webserver as part of your webserver certificate. A webserver certificate is basically your public key with some metadata 'signed' by a Certificate Authority.

In order for a webbrowser to accept your certificate (with your websites public key) as valid, you need to have your certificate 'signed'. This signing is done by generating a Certificate Signing Request (csr), upload that to a CA, do some 'paperwork' to prove you are the domain owner, then wait for the certificate to be ready.

    The steps to secure your website connections are:
  • Create a keypair (with a public key and a matching private key).
  • Create a certificate signing request (csr) with the public key from the keypair and your website name.
  • Have the csr processed by a CA so it gets signed and combined to your website certificate.
  • Get the certificate onto your website server
  • Get your private key onto your website server.
  • Make sure the webserver kan find both (and protect the private key so only your webserver can read it).

How to get your website certificates

To provide some context. I am using a computer running archlinux. The example code is executed from within a terminal window. I used the notes I made while refreshing my website certificates, a few years back. This code is needed to manually create and have signed your certificates. Now I use certbot to request and renew my certificates.

As an exercise, I try to make my website as secure as possible by getting a certificate conforming to the latest insights and allowing only secure ciphers and protocols.

 

Create a keypair

Create a keypair to be used for a 2048 bit certificate into a file named 'example.com.key' (PEM encoded)

openssl genrsa -out example.com.key 2048

Or doing the same using newer syntax (genrsa is depreciated)

openssl genpkey -algorithm RSA -out example.com.key 2048

This example will not ask you for a passphrase. Remember without a passphrase, your PEM-file with the keypair is unprotected. However you need a PEM-file without a passphrase for the webserver to start automaticly. You can add a passphrase if you wish, just add '-aes256' before the final 2048 to the command to secure your PEM-file with a passphrase.

 

Create a certificate signing request

Create a certificate signing request into a file named 'example.com.csr'

openssl req -new -nodes -sha256 -key example.com.key -out example.com.csr

It will ask you for some more input, but only your country (e.g NL) and the 'Common Name' i.e the name of your server (e.g. www.example.com) are relevant. The other fields might be relevant, but are not used for e.g a domain validated certs like you get for free from StartSSL.

Combine generating the keypair and the signing request is also possible, like this:

openssl req -sha256 -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr -subj '/C=NL/CN=www.example.com'

Send the signing request to the CA to sign your certificate (usually by copy/pasting the content of the csr file to a webpage and answering some questions). Your private key wil not be in the signing request, so it does not leave your computer.

 

Install your own web server

     

    General

  • Web Served

    Congrats, you have a Web server!

  • Jekyll

    Transform your plain text into static websites and blogs

  • Color Names

    Visual selection of CCS colors names

  • X-Icon Editor

    create high resolution icons that lets your sites shine

  •  

    NGINX

  • Nginx

    Home of Nginx

  • Nginx Configs

    Nginx as a Secure Web Server with HTTP, HTTPS and SSL Examples

  • SSL certs

    Some info about creating and handling SSL certificates

  • Certbot renew

    Using systemd Timers to Renew Let’s Encrypt Certificates

  • Certbot Nginx

    Using SSL/TLS Certificates from Let’s Encrpt with Nginx

  • Nginx Crypto

    Strong SSL/TLS Cryptography in Apache and Nginx

  • Nginx SSL

    SSL on nginx for performance and security (older)

  • SSL Crypto

    Secure settings for SSL on nginx

  • SSL certificates

    The difference between DV and EV SSL certificates, and how both are basically fine

  • SSL debugging

    Debugging SSL certificates, for if you mess-up and need to find the right key-file for your cert-file

  • SSL certs

    Some more info about requesting SSL certificates

  •  

    Security

  • Forward Secrecy

    Warum wir jetzt Forward Secrecy brauchen

  • CA Cert

    CAcert.org is a community-driven Certificate Authority that issues certificates to the public at large for free.

  • Cryptography

    Cryptography Tutorials - Herong's Tutorial Examples

 

42

Answer to the Ultimate Question of Life, the Universe, and Everything.

World IPv6 Launch

Secured with a Let’s Encrypt certificate