mirror of
https://github.com/gocsaf/csaf.git
synced 2025-12-22 05:40:11 +01:00
Rework docs/install-server-certificate.md
* List all three ways to get a webserver TLS certificate. With some hints on which to chose for which purpose. * Refer to the official nginx documentation and remove some of the instructions, because they can change over time and each CA may have slightly different requirements. * Add a hint about setting protocol selection.
This commit is contained in:
Bernhard Reiter
parent
a39c8669d9
commit
d3f99189b5
1 changed files with 51 additions and 31 deletions
|
|
@ -1,46 +1,66 @@
|
|||
# Install TLS Certificate on nginx
|
||||
# Configure TLS Certificate for HTTPS
|
||||
|
||||
If you already have the TLS Certificates you can start with [Link the files](#link-the-files) step.
|
||||
## Get a webserver TLS certificate
|
||||
|
||||
There are three ways to get to a TLS certificate for your HTTPS server:
|
||||
1. Get it from a certificate provider who will run a certificate
|
||||
authority (CA) and also offers
|
||||
[extended validation](https://en.wikipedia.org/wiki/Extended_Validation_Certificate) (EV)
|
||||
for the certificate. This will cost a fee.
|
||||
If possible, create the private key yourself,
|
||||
then send a Certificate Signing Request (CSR).
|
||||
Overall follow the documentation of the CA operator.
|
||||
2. Get a domain validated TLS certificate via
|
||||
[Let's encrypt](https://letsencrypt.org/) without a fee.
|
||||
See their instruction, e.g.
|
||||
[certbot for nignx on Ubuntu](https://certbot.eff.org/instructions?ws=nginx&os=ubuntufocal).
|
||||
3. Run your own little CA. Which has the major drawback that someone
|
||||
will have to import the root certificate in the webbrowsers manually.
|
||||
Suitable for development purposes.
|
||||
|
||||
To decide between 1. and 2. you will need to weight the extra
|
||||
efforts and costs of the level of extended validation against
|
||||
a bit of extra trust for the security advisories
|
||||
that will be served under the domain.
|
||||
|
||||
|
||||
## Generate a private key and Certificate Signing Request (CSR)
|
||||
Generate and submit the Certificate Signing Request (CSR) to the issuing Certificate Authority (CA) for processing.
|
||||
## Install the files for ngnix
|
||||
|
||||
Firstly create the key
|
||||
```shell
|
||||
openssl req -new newkey -aes256 -out {domainName}.key 4096
|
||||
```
|
||||
Then create the Certificate Singing Request (CSR)
|
||||
Place the certificates on the server machine.
|
||||
This includes the certificate for your webserver, the intermediate
|
||||
certificates and the root certificate. The latter may already be on your
|
||||
machine as part of the trust anchors for webbrowsers.
|
||||
|
||||
```shell
|
||||
openssl req -new -key {domainName}.key -out {domainName}.csr
|
||||
```
|
||||
A number of questions about the CSR details should be answered.
|
||||
Follow the [nginx documentation](https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/)
|
||||
to further configure TLS with your private key and the certificates.
|
||||
|
||||
These generated CSR is necessary for the validation of the TLS certificate generation, thus the content should be submitted to the Certificate Authority to sign the certificate.
|
||||
We recommend to
|
||||
* enable checking the validation of the certificate
|
||||
which can be done by OSCP
|
||||
* restricting the TLS protocol version and ciphers following a current
|
||||
recommendation (e.g. [BSI-TR-02102-2](https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-2.html)).
|
||||
|
||||
## Link the files
|
||||
Once the CA issues the certificate download it to `/etc/ssl/`.
|
||||
### Example configuration
|
||||
Assuming the relevant server block is in `/etc/nginx/sites-enabled/default`,
|
||||
change the `listen` configuration and add options so nginx
|
||||
finds your your private key and the certificate chain.
|
||||
|
||||
- If you recieved {domainName}.pem file from the CA when the certificate was issued, then this file contains both primary and intermediate certificate and you can skip the next step.
|
||||
- Concatenate the primary certificate file ({domainName.crt}) and the intermediate file ({intemediate.crt})
|
||||
```shell
|
||||
cat {domainName.crt} {intermediate.crt} >> bundle.crt
|
||||
```
|
||||
|
||||
|
||||
## Configure nginx
|
||||
Adjust the server block in ```/etc/nginx/sites-enabled/default```:
|
||||
|
||||
```
|
||||
```nginx
|
||||
server {
|
||||
listen 443 ssl http2 default_server;
|
||||
listen [::]:443 ssl http2 default_server;
|
||||
listen 443 ssl http2 default_server; # ipv4
|
||||
listen [::]:443 ssl http2 default_server; # ipv6
|
||||
server_name www.example.com
|
||||
|
||||
ssl_certificate /etc/ssl/{domainName.pem}; # or bundle.crt
|
||||
ssl_certificate /etc/ssl/{domainName}.pem; # or bundle.crt
|
||||
ssl_certificate_key /etc/ssl/{domainName}.key";
|
||||
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
# Other Config
|
||||
# ...
|
||||
}
|
||||
```
|
||||
|
||||
Restart nginx with systemctl nginx restart to apply the changes.
|
||||
Replace `{domainName}` with the name for your certificate in the example.
|
||||
|
||||
Reload or restart nginx to apply the changes (e.g. `systemctl reload nginx`
|
||||
on Debian or Ubuntu.)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue