Difference between revisions of "Www/SSL"

From Livedoc - The Documentation Repository
Jump to: navigation, search
(create information about cert rotation)
 
 
Line 6: Line 6:
  
 
Get the public key pin information using <code>openssl rsa -in tjhsst-1718.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64</code>. You'll need to add this to the Public-Key-Pins header in <code>/etc/nginx/ssl.conf</code>, following the existing format. Do this ''before'' you actually rotate keys. Without doing this, browsers will be unable to access the website, and this is a bad thing. Read [https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning the documentation on MDN] for more information about public key pinning.
 
Get the public key pin information using <code>openssl rsa -in tjhsst-1718.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64</code>. You'll need to add this to the Public-Key-Pins header in <code>/etc/nginx/ssl.conf</code>, following the existing format. Do this ''before'' you actually rotate keys. Without doing this, browsers will be unable to access the website, and this is a bad thing. Read [https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning the documentation on MDN] for more information about public key pinning.
 +
 +
Alternatively, generate a CSR using an already existing key, with <code>openssl req -out tjhsst-1718.csr -key tjhsst-1617.key -new</code>.
  
 
== Rotating the certificate ==
 
== Rotating the certificate ==

Latest revision as of 11:31, 12 December 2016

This page describes the SSL configuration, and how to rotate SSL certificates, on www.

Before certificate renewal comes up

Generate a new private key and CSR with openssl req -new -newkey rsa:2048 -nodes -keyout "tjhsst-1718.key" -out "tjhsst-1718.csr", substituting 1718 with the appropriate school year. This command should be run in /etc/apache2/ssl -- be very careful to not overwrite existing files (i.e. make sure tjhsst-1718.{key,csr} don't already exist).

Get the public key pin information using openssl rsa -in tjhsst-1718.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64. You'll need to add this to the Public-Key-Pins header in /etc/nginx/ssl.conf, following the existing format. Do this before you actually rotate keys. Without doing this, browsers will be unable to access the website, and this is a bad thing. Read the documentation on MDN for more information about public key pinning.

Alternatively, generate a CSR using an already existing key, with openssl req -out tjhsst-1718.csr -key tjhsst-1617.key -new.

Rotating the certificate

Once you've received a certificate from the CA, put it alongside the private key using a similar naming format, like tjhsst-1718.crt. Create a certificate bundle/chained certificate file according to the instructions given by the CA (usually this looks something like cat tjcsl_bundle.crt tjhsst-1718.crt > tjhsst-1718.chained.crt).

You can now update the web server's SSL configuration in /etc/nginx/ssl.conf, making sure to replace the values of ssl_certificate, ssl_certificate_key, as well as ssl_trusted_certificate if it's necessary.

Restart the web server

You can now restart nginx with /etc/init.d/nginx restart. If all goes well, the new SSL certificate should be in place.