SystemSh0cker/gocsaf
1
0
Fork 0
mirror of https://github.com/gocsaf/csaf.git synced 2025-12-22 11:55:40 +01:00
Code Issues Releases Activity Actions
gocsaf/docs/install-server-certificate.md
Bernhard Reiter 72a0f1f4ed
Improve docs/install-server-certificate.md 
* Be more explizit about not using a development ca in production
   for the server.
2022-02-16 09:31:16 +01:00

2.9 KiB
Raw Blame History

Configure TLS Certificate for HTTPS

Get a webserver TLS certificate

There are three ways to get a TLS certificate for your HTTPS server:

  1. Get it from a certificate provider who will run a certificate authority (CA) and also offers extended validation (EV) for the certificate. This will cost a fee. If possible, create the private key yourself, then send a Certificate Signing Request (CSR). Overall follow the documentation of the CA operator.
  2. Get a domain validated TLS certificate via Let's encrypt without a fee. See their instruction, e.g. certbot for nignx on Ubuntu.
  3. Run your own little CA. Which has the major drawback that someone will have to import the root certificate in the webbrowsers manually or override warning on each connect. Suitable for development purposes, must not be used for production servers.

To decide between 1. and 2. you will need to weight the extra efforts and costs of the level of extended validation against a bit of extra trust for the security advisories that will be served under the domain.

Install the files for ngnix

Place the certificates on the server machine. This includes the certificate for your webserver, the intermediate certificates and the root certificate. The latter may already be on your machine as part of the trust anchors for webbrowsers.

Follow the nginx documentation to further configure TLS with your private key and the certificates.

We recommend to

  • restrict the TLS protocol version and ciphers following a current recommendation (e.g. BSI-TR-02102-2).

Example configuration

Assuming the relevant server block is in /etc/nginx/sites-enabled/default, change the listen configuration and add options so nginx finds your your private key and the certificate chain.

server {
    listen 443 ssl http2 default_server;  # ipv4
    listen       [::]:443 ssl http2 default_server;  # ipv6
    server_name www.example.com

    ssl_certificate /etc/ssl/{domainName}.pem; # or bundle.crt
    ssl_certificate_key /etc/ssl/{domainName}.key";

    ssl_protocols TLSv1.2 TLSv1.3;
    # Other Config
    # ...
}

Replace {domainName} with the name for your certificate in the example.

Reload or restart nginx to apply the changes (e.g. systemctl reload nginx on Debian or Ubuntu.)

Technical hints:

  • When allowing or requiring TLSv1.3 webbrowsers like Chromium (seen with version 98) may have higher requirements on the server certificates they allow, otherwise they do not connect with ERR_SSL_KEY_USAGE_INCOMPATIBLE.