SSL: Difference between revisions

From Dave-Wiki
No edit summary
No edit summary
Line 53: Line 53:


  openssl x509 -noout -text -in server.cer
  openssl x509 -noout -text -in server.cer
==LetsEncrypt/Certbot==
Latest instructions at https://certbot.eff.org/
===Get initial cert===
sudo /usr/local/bin/certbot-auto -d {FQDN} --nginx
===Renew all domains that have been created via above===
sudo /usr/local/bin/certbot-auto renew --dry-run
''remove --dry-run to execute for realsies''
===Configure cron to auto-renew===
This will add an entry to <code>/etc/crontab</code>
echo "0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew -q" | sudo tee -a /etc/crontab > /dev/null

Revision as of 17:32, 21 January 2025

Summary

SSL (Secure Sockets Layer) is a cryptographic protocol designed to provide secure communication over a computer network. It ensures the confidentiality, integrity, and authentication of data transferred between a client (e.g., web browser) and a server (e.g., website). SSL is commonly used in securing HTTP traffic, resulting in HTTPS (Hypertext Transfer Protocol Secure).

Though SSL is still commonly referred to, TLS (Transport Layer Security) is the modern version of SSL. TLS evolved from SSL and is considered more secure, but the term SSL is still widely used.

OpenSSL

Common Tasks

Generate a CSR (secp384r1) and Private Key (ecdsa-with-SHA256)

Make a file called ssl-ecdsa.conf. Here's an example: 

[ req ]
distinguished_name = req_distinguished_name
req_extensions     = req_ext

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name (full name)
localityName                    = Locality Name (eg, city)
organizationName                = Organization Name (eg, company)
commonName                      = Common Name (e.g. server FQDN or YOUR name)

countryName_default             = US
stateOrProvinceName_default     = Florida
localityName_default            = Tallahassee
organizationName_default        = LambNet
organizationalUnitName_default  = DaveNet
commonName_default              = davenet.lambnet.us

[ req_ext ]
basicConstraints    = CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
extendedKeyUsage    = serverAuth
tlsfeature          = status_request
subjectAltName      = @alt_names

[alt_names]
# When using SANs, you must repeat the Common Name as a SAN
DNS.1   = davenet.lambnet.us

Then run: 

openssl req -newkey ec:<(openssl ecparam -name secp384r1) -nodes -keyout server.key -out server.csr -config ssl-ecdsa.conf

Verify CSR

openssl req -noout -text -in server.csr

Show Certificate Details (Exp date, etc.)

openssl x509 -noout -text -in server.cer

LetsEncrypt/Certbot

Latest instructions at https://certbot.eff.org/

Get initial cert

sudo /usr/local/bin/certbot-auto -d {FQDN} --nginx

Renew all domains that have been created via above

sudo /usr/local/bin/certbot-auto renew --dry-run

remove --dry-run to execute for realsies

Configure cron to auto-renew

This will add an entry to /etc/crontab 

echo "0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew -q" | sudo tee -a /etc/crontab > /dev/null
Retrieved from "https://davehome.net/wiki/index.php?title=SSL&oldid=384"