SSL
Summary
SSL (Secure Sockets Layer) is a cryptographic protocol designed to provide secure communication over a computer network. It ensures the confidentiality, integrity, and authentication of data transferred between a client (e.g., web browser) and a server (e.g., website). SSL is commonly used in securing HTTP traffic, resulting in HTTPS (Hypertext Transfer Protocol Secure).
Though SSL is still commonly referred to, TLS (Transport Layer Security) is the modern version of SSL. TLS evolved from SSL and is considered more secure, but the term SSL is still widely used.
OpenSSL
Common Tasks
Generate a CSR (secp384r1) and Private Key (ecdsa-with-SHA256)
Make a file called ssl-csr.conf
. Here's an example:
[ req ] distinguished_name = req_distinguished_name req_extensions = req_ext [ req_distinguished_name ] countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (eg, city) organizationName = Organization Name (eg, company) commonName = Common Name (e.g. server FQDN or YOUR name) countryName_default = US stateOrProvinceName_default = Florida localityName_default = Tallahassee organizationName_default = LambNet organizationalUnitName_default = DaveNet commonName_default = davenet.lambnet.us [ req_ext ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth tlsfeature = status_request subjectAltName = @alt_names [alt_names] # When using SANs, you must repeat the Common Name as a SAN DNS.1 = davenet.lambnet.us
Then run:
openssl req -newkey ec:<(openssl ecparam -name secp384r1) -nodes -keyout server.key -out server.csr -config ssl-csr.conf
OR, if you must do RSA:
openssl req -newkey rsa:2048 -nodes -keyout server.key -out server.csr -config ssl-csr.conf
Verify CSR
openssl req -noout -text -in server.csr
Show Certificate Details (Exp date, etc.)
openssl x509 -noout -text -in server.cer
LetsEncrypt/Certbot
Latest instructions at https://certbot.eff.org/
Common Tasks
Get initial cert
Assumes your web server is nginx.
sudo /usr/local/bin/certbot-auto -d {FQDN} --nginx
Renew all domains that have been created via above
Remove --dry-run
to execute for realsies.
sudo /usr/local/bin/certbot-auto renew --dry-run
Configure cron to auto-renew
This will add an entry to /etc/crontab
echo "0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew -q" | sudo tee -a /etc/crontab > /dev/null
EasyRSA
EasyRSA is a command-line utility used for managing a Public Key Infrastructure (PKI) to create, sign, and manage SSL/TLS certificates.
EasyRSA simplifies the process of generating Certificate Authority (CA) certificates, server certificates, client certificates, and revoking certificates, making it easier for users to manage their own PKI without needing to deal with complex configuration files and commands.
A Certificate Authority (CA) is a trusted organization or entity that issues digital certificates used to establish the identity of entities (such as individuals, websites, or devices) and to facilitate secure communication over networks. CAs play a key role in a Public Key Infrastructure (PKI) by verifying the identity of certificate holders and ensuring the integrity and authenticity of digital certificates.
If you're interested in hosting your own CA, this section could come in handy.
Common Tasks
Build a new CA
mkdir ~/easy-rsa
cd easy-rsa
./easyrsa init-pki
EC
./easyrsa --use-algo=ec --use-curve=secp384r1 build-ca nopass
RSA
./easyrsa build-ca nopass
EasyRSA Import CSR
./easyrsa import-req /scratch/cert_mgmt-2023.csr cert_mgmt-2023
EasyRSA Sign CSR
./easyrsa --days=365 sign-req server cert_mgmt-2023
Convert x509 Certificate and Private Key to PKCS12 .pfx
openssl pkcs12 -export -in ca.crt -inkey private/ca.key -out ca.pfx
Convert x509 Certificate and Private Key to PKCS12 .p12
openssl pkcs12 -export -in ca.crt -inkey private/ca.key -out ca.p12
Convert PKCS12 to x509 Certificate and Private Key
openssl pkcs12 -in cert.p12 -out cert.crt -clcerts -nokeys
openssl pkcs12 -in cert.p12 -out private.key -nocerts -nodes
EasyRSA Create a CA with EC Private Key
./easyrsa --use-algo=ec build-ca nopass