Description

The need for privacy (from prying eyes) and encrypting data to protect from those who seek to damage or destroy your business or livelihood is more necessary than ever. The reasons for encrypting data are many and is quickly becoming the web standard with several large companies such as Google, Apple, WordPress / Automattic and others going full SSL/TLS and recommending others do the same. The steps below will help you get your sites up and running with SSL/TLS quickly.

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.”

– Edward Snowden

Purpose & Scope

Encrypting our data as a matter of habit is incumbent upon, and a responsibility of everyone in an age where true privacy and freedom are being assaulted from all angles, whether through deliberate malicious acts by hackers/crackers or the prying eyes and reach of governments who want complete unfettered access to all data in the form of backdoors written into software, which is completely unfeasible.

The latest (released in 2015), more streamlined Version TLS, version 1.3 (TLS is the newest generation of its better known predecessor, SSL) trims out unnecessary features and functions that ultimately could lead to buggy or compromised code. The goal of this release is a leaner yet strong encryption protocol that’s easier to implement and less likely to leave the door open to implementation flaws.

SSL / TLS or Secure Socket Layer / Transport Layer Security, is a way of sending and receiving web traffic in an an encrypted stream, from server to web browser and back again making eavsdropping or subversion of the stream impossible. Without strong encryption as the heart of all communications, anyone with the knowledge and equipment can listen, copy, alter or otherwise subvert unencrypted communications for their own benefit or nefarious purposes.

Most major technology companies such as: Google, Apple, Wikipedia, Automattic and many, many others support and encourage strong encryption not only on their own platforms, but everywhere on the web as a standard.

Getting Started

Note: These are example configs only and not meant to be copy/pasted directly. They are here to provide guidance and an example of a generic setup using the strongest encryption currently available.

In this example we’ll be using the domain “example.com as per RFC.2606.

Get a free Level 1 SSL certificate valid for 1 year from StartSSL

Get free SSL certificates at StartSSL or the Let’s Encrypt project, sponsored in part by Automattic and other companies.

Note: If your domain is selling products and is being used for commercial business, StartSSL will charge you $59.00 for a Level 2 certification and require recent scans of your passport and photo ID (front and back).

Why should I generate my own certificate and not use a wizard offered through a provider?

One word, “control”. You should always control the certificate generation process on your own systems and understand it, relying on someone else’s tools obfuscates the process and removes some level of control from you.

No matter who the CA (Certificate Authority) is, always create the certificates and the CSR (Certificate Signing Request) first on your own systems. You’re only paying the Certificate Authority to sign it and verify that you are who you say you are or represent based on different verification levels, from automated to exhaustive / time consuming, the deeper the verification goes (Level 1, Level 2, EV, etc) will be reflected in the price.


Linux / OSX .key and .csr (Cerificate Signing Request) Generation Instructions

Note: Always store your keys in a safe place.
Purpose
To generate a 4096bit RSA certificate or Elliptical Curve key for use with the final certificate issued by the CA (Certificate Authority eg; StartSSL, Let’s Encrypt, Comodo, DigiCert, etc) and a signing request for the CA, which is a request to have a certificate issued for a specific domain (example.com), subdomain (secure.example.com) or wildcard (*.example.com).

  1. Make a new directory under /root/csr/$sitename for creating, storing and organizing your CSR’s for use with Certbot. (We’ll use this later below).
  2. mkdir -p /root/csr/example.com

  3. Generate an RSA 4096bit or an Elliptical Curve key + CSR

  4. Our example domain: example.com

    1. Generate a password protected version of the key.
    2. openssl genrsa -des3 -out example.com.key 4096

      Generating RSA private key, 4096 bit long modulus
      ………………………………….++
      …………………………………………………………++
      e is 65537 (0x10001)
      Enter pass phrase for example.com.key:
      Verifying – Enter pass phrase for example.com.key:

    3. Generate a non-password protected version of the key.
    4. Note: This is so we don’t have to enter the password each time we restart the webserver, otherwise use the password-protected version.
      openssl rsa -in example.com.key -out example.com.nopass.key

      Enter pass phrase for example.com.key:
      writing RSA key

    5. Generate the Certificate Signing Request.
    6. openssl req -new -sha256 -key example.com.nopass.key -out example.com.csr

      You are about to be asked to enter information that will be incorporated
      into your certificate request.
      What you are about to enter is what is called a Distinguished Name or a DN.
      There are quite a few fields but you can leave some blank
      For some fields there will be a default value,
      If you enter ‘.’, the field will be left blank.
      – – – – –
      Country Name (2 letter code) [XX]:
      State or Province Name (full name) [ ]:
      Locality Name (eg, city) [Default City]:
      Organization Name (eg, company) [Default Company Ltd]:
      Organizational Unit Name (eg, section) [ ]:
      Common Name (eg, your name or your server’s hostname) [ ]:www.example.com
      Email Address [ ]:admin@example.com
      – – – – –
      Please enter the following ‘extra’ attributes
      to be sent with your certificate request
      A challenge password [ ]:n3HVwyb#ewh^lMtv6td)ZR#H
      An optional company name [ ]:

      If you’ve done all these steps you’ll end up with the following files:

      • example.com.key
      • example.com.nopass.key
      • example.com.csr


    Our example domain: secure.example.org
    Note: Currently StartSSL does not support EC CSR’s.

    1. List available curves.
    2. openssl ecparam -list_curves

      secp256k1 : SECG curve over a 256 bit prime field
      secp384r1 : NIST/SECG curve over a 384 bit prime field
      secp521r1 : NIST/SECG curve over a 521 bit prime field
      prime256v1: X9.62/SECG curve over a 256 bit prime field

    3. Generate a non-password protected key.
    4. Note: This is so we don’t have to enter the password each time we restart the webserver, otherwise use the password-protected version.
      openssl ecparam -out secure.example.org.nopass.key -name secp521r1 -genkey

    5. Generate a password protected key.
    6. openssl ec -in secure.example.org.nopass.key -des3 -out secure.example.org.key

    7. Generate the CSR for the Certificate Authority.
    8. openssl req -new -sha256 -key secure.example.org.nopass.key -nodes -out secure.example.org.csr

      If you’ve done all these steps you’ll end up with the following files:

      • secure.example.org.key
      • secure.example.org.nopass.key
      • secure.example.org.csr

  5. Read the Let’s Encrypt FAQ
  6. Validate your domain confirming ownership using the key sent to the email of the domain owner
  7. Apply for a certificate using the .csr (Certificate Signing Request) file generated in Step 3 from “Generate an RSA 4096bit key + CSR” above.
    • Login to your server and make yourself root using the following command: su -, make sure to include the dash, as this gives you root’s shell and $PATH.
    • Verify you’re in root’s home directory with the command: pwd if not, change to root’s home directory: cd /root
    • Download Certbot to your server as root Choose your webserver and OS and follow the insrtructions to download Certbot
    • wget https://dl.eff.org/certbot-auto

    • ./certbot-auto certonly --csr /root/csr/example.com.csr
  8. You will need the following files for your webserver once the process is complete under the directory: /etc/lertsencrypt/live/example.com/
    • cert.pem
    • chain.pem
    • fullchain.pem
    • privkey.pem
Certbot Commands & Help

Apache httpd Instructions / Configuration


nginx Instructions / Configuration

Before we begin
nginx does not provide an equivalent to the Apache httpd SSLCACertificateFile directive, so we’ll combine our certificate with the CA’s intermediate certificate.

Key Exchange Parameters

By default, Nginx will use the default DHE (Ephemeral Diffie-Hellman) parameters provided by openssl, this uses a weak key that gets lower scores. It’s better build your own 4096bit key.

Command:
openssl dhparam -out /etc/pki/tls/private/dhparam.pem 4096

nginx Config:
ssl_dhparam /etc/pki/tls/private/dhparam.pem;

Read about: nginx SSL/TLS termination
Read about: dhparam

nginx Reverse Proxy Caveats

If you use nginx as a reverse proxy in front of an Apache httpd server and terminate the SSL connection with nginx while proxying the connection to Apache httpd over HTTP, see the following:

wp-config.php

nginx configuration:
proxy_set_header X-Forwarded_Proto https;
or
proxy_set_header X-Forwarded-Proto $scheme;

Also see: WordPress Administration over SSL – Using a Reverse Proxy


Windows IIS Webserver Instructions

  • Take example.com.nopass.key generated in Step 2, put it in the same directory as the new certificate file from StartSSL, which we’ll call example.com.ssl.crt and run the following to combine them:
  • Command: openssl pkcs12 -export -out example.com.pfx -inkey example.com.nopass.key -in example.com.ssl.crt

This will combine both files into a single file called example.com.pfx which the IIS webserver will use.

Testing

Validate your setup once you feel it’s complete with these free tools.

Further Reading

Additional Resource: see mod_md for Apache httpd for managing certs.

Description Summary
This module manages common properties of domains for one or more virtual hosts. Specifically it can use the ACME protocol (RFC Draft) to automate certificate provisioning. These will be configured for managed domains and their virtual hosts automatically. This includes renewal of certificates before they expire. The most famous Certificate Authority currently implementing the ACME protocol is Let’s Encrypt.

Last Modified: 1 Dec, 2017 at 16:35:46