Roel's Praathoek - Configure your Protected Webserve

Website certificates, how they work

Certificates are used to secure connections for your website (or even other connections) by encrypting your network traphic. They where originally called SSL certificates, but the assiociated SSL (Secure Sockets Layer) protocols are not considers safe anymore. SSL is now replaced by TLS (Transport Layer Security) but the use of certificates containing public and/or private encription keys is largly the same. Note that the cryptography used to protect the certificates did advange too.

Certificates contain the 'encryption keys' to establish encrypted connections. For https, your webserver needs to have 'the private key' and the webbrowser needs to have 'the public key'. Your browser can get the website's public key from your webserver as part of your webserver certificate. A webserver certificate is basically your public key with some metadata 'signed' by a Certificate Authority.

In order for a webbrowser to accept your certificate (with your websites public key) as valid, you need to have your certificate 'signed'. This signing is done by generating a Certificate Signing Request (csr), upload that to a CA, do some 'paperwork' to prove you are the domain owner, then wait for the certificate to be ready.

How to get your website certificates

To provide some context. I am using a computer running archlinux. The example code is executed from within a terminal window. I used the notes I made while refreshing my website certificates, a few years back. This code is needed to manually create and have signed your certificates. Now I use certbot to request and renew my certificates.

As an exercise, I try to make my website as secure as possible by getting a certificate conforming to the latest insights and allowing only secure ciphers and protocols.

 

Create a keypair

Create a keypair to be used for a 2048 bit certificate into a file named 'example.com.key' (PEM encoded)

openssl genrsa -out example.com.key 2048

Or doing the same using newer syntax (genrsa is depreciated)

openssl genpkey -algorithm RSA -out example.com.key 2048

This example will not ask you for a passphrase. Remember without a passphrase, your PEM-file with the keypair is unprotected. However you need a PEM-file without a passphrase for the webserver to start automaticly. You can add a passphrase if you wish, just add '-aes256' before the final 2048 to the command to secure your PEM-file with a passphrase.

 

Create a certificate signing request

Create a certificate signing request into a file named 'example.com.csr'

openssl req -new -nodes -sha256 -key example.com.key -out example.com.csr

It will ask you for some more input, but only your country (e.g NL) and the 'Common Name' i.e the name of your server (e.g. www.example.com) are relevant. The other fields might be relevant, but are not used for e.g a domain validated certs like you get for free from StartSSL.

Combine generating the keypair and the signing request is also possible, like this:

openssl req -sha256 -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr -subj '/C=NL/CN=www.example.com'

Send the signing request to the CA to sign your certificate (usually by copy/pasting the content of the csr file to a webpage and answering some questions). Your private key wil not be in the signing request, so it does not leave your computer.

 

Install your own web server

 

42

Answer to the Ultimate Question of Life, the Universe, and Everything.

World IPv6 Launch

Secured with a Let’s Encrypt certificate

RoHeVe - Roel's Praathoek - Persoonlijke Site

Creative Commons LicenseThis work by is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.