SSL

From Dave-Wiki

Summary

SSL (Secure Sockets Layer) is a cryptographic protocol designed to provide secure communication over a computer network. It ensures the confidentiality, integrity, and authentication of data transferred between a client (e.g., web browser) and a server (e.g., website). SSL is commonly used in securing HTTP traffic, resulting in HTTPS (Hypertext Transfer Protocol Secure).

Though SSL is still commonly referred to, TLS (Transport Layer Security) is the modern version of SSL. TLS evolved from SSL and is considered more secure, but the term SSL is still widely used.

OpenSSL

Common Tasks

Generate a CSR (secp384r1) and Private Key (ecdsa-with-SHA256)

Make a file called ssl-ecdsa.conf. Here's an example: 

[ req ]
distinguished_name = req_distinguished_name
req_extensions     = req_ext

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name (full name)
localityName                    = Locality Name (eg, city)
organizationName                = Organization Name (eg, company)
commonName                      = Common Name (e.g. server FQDN or YOUR name)

countryName_default             = US
stateOrProvinceName_default     = Florida
localityName_default            = Tallahassee
organizationName_default        = LambNet
organizationalUnitName_default  = DaveNet
commonName_default              = davenet.lambnet.us

[ req_ext ]
basicConstraints    = CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
extendedKeyUsage    = serverAuth
tlsfeature          = status_request
subjectAltName      = @alt_names

[alt_names]
# When using SANs, you must repeat the Common Name as a SAN
DNS.1   = davenet.lambnet.us

Then run: 

openssl req -newkey ec:<(openssl ecparam -name secp384r1) -nodes -keyout server.key -out server.csr -config ssl-ecdsa.conf

Verify CSR

openssl req -noout -text -in server.csr

Show Certificate Details (Exp date, etc.)

openssl x509 -noout -text -in server.cer

LetsEncrypt/Certbot

Latest instructions at https://certbot.eff.org/

Common Tasks

Get initial cert

Assumes your web server is nginx. 

sudo /usr/local/bin/certbot-auto -d {FQDN} --nginx

Renew all domains that have been created via above

Remove --dry-run to execute for realsies. 

sudo /usr/local/bin/certbot-auto renew --dry-run

Configure cron to auto-renew

This will add an entry to /etc/crontab 

echo "0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew -q" | sudo tee -a /etc/crontab > /dev/null
Retrieved from "https://davehome.net/wiki/index.php?title=SSL&oldid=389"