diff --git a/docs/install-server-certificate.md b/docs/install-server-certificate.md index cb43674..adebe68 100644 --- a/docs/install-server-certificate.md +++ b/docs/install-server-certificate.md @@ -1,46 +1,66 @@ -# Install TLS Certificate on nginx +# Configure TLS Certificate for HTTPS -If you already have the TLS Certificates you can start with [Link the files](#link-the-files) step. +## Get a webserver TLS certificate + +There are three ways to get to a TLS certificate for your HTTPS server: + 1. Get it from a certificate provider who will run a certificate + authority (CA) and also offers + [extended validation](https://en.wikipedia.org/wiki/Extended_Validation_Certificate) (EV) + for the certificate. This will cost a fee. + If possible, create the private key yourself, + then send a Certificate Signing Request (CSR). + Overall follow the documentation of the CA operator. + 2. Get a domain validated TLS certificate via + [Let's encrypt](https://letsencrypt.org/) without a fee. + See their instruction, e.g. + [certbot for nignx on Ubuntu](https://certbot.eff.org/instructions?ws=nginx&os=ubuntufocal). + 3. Run your own little CA. Which has the major drawback that someone + will have to import the root certificate in the webbrowsers manually. + Suitable for development purposes. + +To decide between 1. and 2. you will need to weight the extra +efforts and costs of the level of extended validation against +a bit of extra trust for the security advisories +that will be served under the domain. -## Generate a private key and Certificate Signing Request (CSR) -Generate and submit the Certificate Signing Request (CSR) to the issuing Certificate Authority (CA) for processing. +## Install the files for ngnix -Firstly create the key -```shell -openssl req -new newkey -aes256 -out {domainName}.key 4096 -``` -Then create the Certificate Singing Request (CSR) +Place the certificates on the server machine. +This includes the certificate for your webserver, the intermediate +certificates and the root certificate. The latter may already be on your +machine as part of the trust anchors for webbrowsers. -```shell -openssl req -new -key {domainName}.key -out {domainName}.csr -``` -A number of questions about the CSR details should be answered. +Follow the [nginx documentation](https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/) +to further configure TLS with your private key and the certificates. -These generated CSR is necessary for the validation of the TLS certificate generation, thus the content should be submitted to the Certificate Authority to sign the certificate. +We recommend to + * enable checking the validation of the certificate + which can be done by OSCP + * restricting the TLS protocol version and ciphers following a current + recommendation (e.g. [BSI-TR-02102-2](https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-2.html)). -## Link the files -Once the CA issues the certificate download it to `/etc/ssl/`. +### Example configuration +Assuming the relevant server block is in `/etc/nginx/sites-enabled/default`, +change the `listen` configuration and add options so nginx +finds your your private key and the certificate chain. -- If you recieved {domainName}.pem file from the CA when the certificate was issued, then this file contains both primary and intermediate certificate and you can skip the next step. -- Concatenate the primary certificate file ({domainName.crt}) and the intermediate file ({intemediate.crt}) -```shell -cat {domainName.crt} {intermediate.crt} >> bundle.crt -``` - - -## Configure nginx -Adjust the server block in ```/etc/nginx/sites-enabled/default```: - -``` +```nginx server { - listen 443 ssl http2 default_server; - listen [::]:443 ssl http2 default_server; + listen 443 ssl http2 default_server; # ipv4 + listen [::]:443 ssl http2 default_server; # ipv6 + server_name www.example.com - ssl_certificate /etc/ssl/{domainName.pem}; # or bundle.crt + ssl_certificate /etc/ssl/{domainName}.pem; # or bundle.crt ssl_certificate_key /etc/ssl/{domainName}.key"; + + ssl_protocols TLSv1.2 TLSv1.3; # Other Config # ... } +``` -Restart nginx with systemctl nginx restart to apply the changes. \ No newline at end of file +Replace `{domainName}` with the name for your certificate in the example. + +Reload or restart nginx to apply the changes (e.g. `systemctl reload nginx` +on Debian or Ubuntu.)