Warning Livedoc is no longer being updated and will be deprecated shortly. Please refer to https://documentation.tjhsst.edu.

Difference between revisions of "Www/SSL"

From Livedoc - The Documentation Repository
Jump to: navigation, search
(create information about cert rotation)
(No difference)

Revision as of 09:11, 9 December 2016

This page describes the SSL configuration, and how to rotate SSL certificates, on www.

Before certificate renewal comes up

Generate a new private key and CSR with openssl req -new -newkey rsa:2048 -nodes -keyout "tjhsst-1718.key" -out "tjhsst-1718.csr", substituting 1718 with the appropriate school year. This command should be run in /etc/apache2/ssl -- be very careful to not overwrite existing files (i.e. make sure tjhsst-1718.{key,csr} don't already exist).

Get the public key pin information using openssl rsa -in tjhsst-1718.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64. You'll need to add this to the Public-Key-Pins header in /etc/nginx/ssl.conf, following the existing format. Do this before you actually rotate keys. Without doing this, browsers will be unable to access the website, and this is a bad thing. Read the documentation on MDN for more information about public key pinning.

Rotating the certificate

Once you've received a certificate from the CA, put it alongside the private key using a similar naming format, like tjhsst-1718.crt. Create a certificate bundle/chained certificate file according to the instructions given by the CA (usually this looks something like cat tjcsl_bundle.crt tjhsst-1718.crt > tjhsst-1718.chained.crt).

You can now update the web server's SSL configuration in /etc/nginx/ssl.conf, making sure to replace the values of ssl_certificate, ssl_certificate_key, as well as ssl_trusted_certificate if it's necessary.

Restart the web server

You can now restart nginx with /etc/init.d/nginx restart. If all goes well, the new SSL certificate should be in place.