SystemSh0cker/gocsaf
1
0
Fork 0
mirror of https://github.com/gocsaf/csaf.git synced 2025-12-22 11:55:40 +01:00
Code Issues Releases Activity Actions

Rework docs/install-server-certificate.md

Browse source 
* List all three ways to get a webserver TLS certificate. With some
   hints on which to chose for which purpose.
 * Refer to the official nginx documentation and remove some of the
   instructions, because they can change over time and each CA may
   have slightly different requirements.
 * Add a hint about setting protocol selection.
This commit is contained in:
Bernhard Reiter 2022-02-11 17:42:24 +01:00
parent a39c8669d9
commit d3f99189b5
No known key found for this signature in database
GPG key ID: 2B7BA3BF9BC3A554
1 changed files with 51 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

82
docs/install-server-certificate.md
View file

@ -1,46 +1,66 @@
# Install TLS Certificate on nginx # Configure TLS Certificate for HTTPS
If you already have the TLS Certificates you can start with [Link the files](#link-the-files) step. ## Get a webserver TLS certificate
There are three ways to get to a TLS certificate for your HTTPS server:
1. Get it from a certificate provider who will run a certificate
authority (CA) and also offers
[extended validation](https://en.wikipedia.org/wiki/Extended_Validation_Certificate) (EV)
for the certificate. This will cost a fee.
If possible, create the private key yourself,
then send a Certificate Signing Request (CSR).
Overall follow the documentation of the CA operator.
2. Get a domain validated TLS certificate via
[Let's encrypt](https://letsencrypt.org/) without a fee.
See their instruction, e.g.
[certbot for nignx on Ubuntu](https://certbot.eff.org/instructions?ws=nginx&os=ubuntufocal).
3. Run your own little CA. Which has the major drawback that someone
will have to import the root certificate in the webbrowsers manually.
Suitable for development purposes.
To decide between 1. and 2. you will need to weight the extra
efforts and costs of the level of extended validation against
a bit of extra trust for the security advisories
that will be served under the domain.
## Generate a private key and Certificate Signing Request (CSR) ## Install the files for ngnix
Generate and submit the Certificate Signing Request (CSR) to the issuing Certificate Authority (CA) for processing.
Firstly create the key Place the certificates on the server machine.
```shell This includes the certificate for your webserver, the intermediate
openssl req -new newkey -aes256 -out {domainName}.key 4096 certificates and the root certificate. The latter may already be on your
``` machine as part of the trust anchors for webbrowsers.
Then create the Certificate Singing Request (CSR)
```shell Follow the [nginx documentation](https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/)
openssl req -new -key {domainName}.key -out {domainName}.csr to further configure TLS with your private key and the certificates.
```
A number of questions about the CSR details should be answered.
These generated CSR is necessary for the validation of the TLS certificate generation, thus the content should be submitted to the Certificate Authority to sign the certificate. We recommend to
* enable checking the validation of the certificate
which can be done by OSCP
* restricting the TLS protocol version and ciphers following a current
recommendation (e.g. [BSI-TR-02102-2](https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-2.html)).
## Link the files ### Example configuration
Once the CA issues the certificate download it to `/etc/ssl/`. Assuming the relevant server block is in `/etc/nginx/sites-enabled/default`,
change the `listen` configuration and add options so nginx
finds your your private key and the certificate chain.
- If you recieved {domainName}.pem file from the CA when the certificate was issued, then this file contains both primary and intermediate certificate and you can skip the next step. ```nginx
- Concatenate the primary certificate file ({domainName.crt}) and the intermediate file ({intemediate.crt})
```shell
cat {domainName.crt} {intermediate.crt} >> bundle.crt
```
## Configure nginx
Adjust the server block in ```/etc/nginx/sites-enabled/default```:
```
server { server {
listen 443 ssl http2 default_server; listen 443 ssl http2 default_server; # ipv4
listen [::]:443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; # ipv6
server_name www.example.com
ssl_certificate /etc/ssl/{domainName.pem}; # or bundle.crt ssl_certificate /etc/ssl/{domainName}.pem; # or bundle.crt
ssl_certificate_key /etc/ssl/{domainName}.key"; ssl_certificate_key /etc/ssl/{domainName}.key";
ssl_protocols TLSv1.2 TLSv1.3;
# Other Config # Other Config
# ... # ...
} }
```
Restart nginx with systemctl nginx restart to apply the changes. Replace `{domainName}` with the name for your certificate in the example.
Reload or restart nginx to apply the changes (e.g. `systemctl reload nginx`
on Debian or Ubuntu.)