Roel's Praathoek - Configure your Protected Webserve

Website certificates, how they work

Certificates are used to secure connections for your website (or even other connections) by encrypting your network traphic. They where originally called SSL certificates, but the assiociated SSL (Secure Sockets Layer) protocols are not considers safe anymore. SSL is now replaced by TLS (Transport Layer Security) but the use of certificates containing public and/or private encription keys is largly the same. Note that the cryptography used to protect the certificates did advange too.

Certificates contain the 'encryption keys' to establish encrypted connections. For https, your webserver needs to have 'the private key' and the webbrowser needs to have 'the public key'. Your browser can get the website's public key from your webserver as part of your webserver certificate. A webserver certificate is basically your public key with some metadata 'signed' by a Certificate Authority.

In order for a webbrowser to accept your certificate (with your websites public key) as valid, you need to have your certificate 'signed'. This signing is done by generating a Certificate Signing Request (csr), upload that to a CA, do some 'paperwork' to prove you are the domain owner, then wait for the certificate to be ready.

    The steps to secure your website connections are:
  • Create a keypair (with a public key and a matching private key).
  • Create a certificate signing request (csr) with the public key from the keypair and your website name.
  • Have the csr processed by a CA so it gets signed and combined to your website certificate.
  • Get the certificate onto your website server
  • Get your private key onto your website server.
  • Make sure the webserver kan find both (and protect the private key so only your webserver can read it).

How to get your website certificates

In the early days, you needed to get a signed and trusted certificate from a Certificate Autority by sending them a certificate signing request (CSR) file and after some time (and the CA performing some checks and you pay them some money) you would get your signed certificate back.

Nowadays much of this proces can be automated, e.g. by using Let's Encrypt as a CA, but there are others. There are tools to help you do that. I use certbot to request and renew my certificates, and that proces is automated.

the old method

To provide some context, for this story I use a computer running archlinux and the code is executed from within a terminal window. I used the notes I made while refreshing my website certificates, a few years back.

The steps in this process are needed to manually create a key, create a signing request, have your certificates signed by a CA and then combine the key and cert into your website configuration.

 

Create a key

Create a key to be used for a 2048 bit certificate into a file named 'example.com.key' (PEM encoded)

openssl genrsa -out example.com.key 2048

Or doing the same using newer syntax (genrsa is depreciated)

openssl genpkey -algorithm RSA -out example.com.key 2048

This example will not ask you for a passphrase. Remember without a passphrase, your PEM-file with the keypair is unprotected. However you need a PEM-file without a passphrase for the webserver to start automaticly. You can add a passphrase if you wish, just add '-aes256' before the final 2048 to the command to secure your PEM-file with a passphrase.

 

Create a certificate signing request

Create a certificate signing request into a file named 'example.com.csr'

openssl req -new -nodes -sha256 -key example.com.key -out example.com.csr

It will ask you for some more input, but only your country (e.g NL) and the 'Common Name' i.e the name of your server (e.g. www.example.com) are relevant. The other fields might be relevant, but are not used for e.g a domain validated certs like you get for free from (the now defunct) StartSSL.

Combine generating the key and the signing request is also possible, like this:

openssl req -sha256 -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr -subj '/C=NL/CN=www.example.com'

Send the signing request to the CA to sign your certificate (usually by copy/pasting the content of the csr file to a webpage and answering some questions). Your private key wil not be in the signing request, so it does not leave your computer.

 

Install your own web server

     

    General

  • Web Served

    Congrats, you have a Web server!

  • Jekyll

    Transform your plain text into static websites and blogs

  • Color Names

    Visual selection of CCS colors names

  • X-Icon Editor

    create high resolution icons that lets your sites shine

  •  

    NGINX

  • Nginx

    Home of Nginx

  • Nginx Configs

    Nginx as a Secure Web Server with HTTP, HTTPS and SSL Examples

  • SSL certs

    Some info about creating and handling SSL certificates

  • Certbot renew

    Using systemd Timers to Renew Let’s Encrypt Certificates

  • Certbot Nginx

    Using SSL/TLS Certificates from Let’s Encrpt with Nginx

  • Nginx Crypto

    Strong SSL/TLS Cryptography in Apache and Nginx

  • Nginx SSL

    SSL on nginx for performance and security (older)

  • SSL Crypto

    Secure settings for SSL on nginx

  • SSL certificates

    The difference between DV and EV SSL certificates, and how both are basically fine

  • SSL debugging

    Debugging SSL certificates, for if you mess-up and need to find the right key-file for your cert-file

  • SSL certs

    Some more info about requesting SSL certificates

  •  

    Security

  • Forward Secrecy

    Warum wir jetzt Forward Secrecy brauchen

  • CA Cert

    CAcert.org is a community-driven Certificate Authority that issues certificates to the public at large for free.

  • Cryptography

    Cryptography Tutorials - Herong's Tutorial Examples

 

42

Answer to the Ultimate Question of Life, the Universe, and Everything.

World IPv6 Launch

Secured with a Let’s Encrypt certificate