SSL

From Leaky
Revision as of 19:35, 23 June 2016 by Leaky (talk | contribs) (LetsEncrypt)
Jump to: navigation, search

Generate a new key

openssl genrsa -out www.mydomain.com.key 2048

Generate a new CSR from a key

openssl req -new -sha256 -key www.mydomain.com.key -out www.mydomain.com.csr

Checking if a key/csr/cert are related to each other

To compare a key, CSR or certificate to check they're related (e.g the CSR from key and the certificate is the signed CSR), generate the modulus for each item and they should all be the same.

For a certificate: 

openssl x509 -noout -modulus -in file.crt

For a CSR: 

openssl req -noout -modulus -in file.csr

For a key (assuming RSA): 

openssl rsa -noout -modulus -in file.key

The output for each one is (wrapped at 70 characters, normally all on one line): 

Modulus=958F0B0961CF7F99155050CFD5DD2F3776085D560C0E4CACBACCEC6A73C38A
C3DA64FE26C747AB08555522D77EE0505C69B73F7DCA064155C7EC0FADF3CC11920136
DDC53C5F9BBE8B5A2866F955AFFEBFA116D8CDC6EE81CFF3F8D337FEE1E6658E507CA3
7EEFC4D9BD7F679FEF0844A81A94C7CB09A52A6C3785BF2D604E2A5750D131C0C0192C
E6B843BA318F08D3D0AD63837F67A6E226D9EC3E187BAA4767FD988E63DF4ED16721CF
E8BC17F2BD19E8DF006D770EA5C58E894E4FA0D0B714C6AFF11F6EB821B3FE99E91E5F
D9CD2019146DE7A2D264DC7FC8742E195A3A8E05EFB146C5C97FFE2815DB050E842EE8
1F1C9C52A5EC7362FFB8A14E97B199

LetsEncrypt

To use letsencrypt.org for your free SSL certificate on CentOS, without getting it to automatically change configs etc, you can use the certbot-auto script. 

# git clone https://github.com/letsencrypt/letsencrypt
# cd letsencrypt
# ./certbot-auto

Once it's updated itself and installed any dependencies, it can be used to generate the SSL certificates. 

# ./certbot-auto certonly --webroot -d www.example.com -d example.com -w /var/www/html/example.com

The -d option needs to be repeated for all ServerName and ServerAlias directives used for the site you're trying to secure. -w specifies the webroot to use for the authentication process (a file is created in there which is then requested by LetsEncrypt)

If all goes well, you'll see a message like this: 

- Congratulations! Your certificate and chain have been saved at
  /etc/letsencrypt/live/www.example.com/fullchain.pem. Your cert
  will expire on 2016-09-21. To obtain a new or tweaked version of
  this certificate in the future, simply run certbot-auto again. To
  non-interactively renew *all* of your certificates, run
  "certbot-auto renew"

The other files are also in the /etc/letsencrypt/live/www.example.com/ directory and can be used as follows in your apache config. The SSLCipherSuite, SSLProtocol and SSLHonorCipherOrder lines result in an 'A' rating at SSL Labs server test 

<VirtualHost 10.20.30.40:443>
ServerName www.example.com
ServerAlias example.com
DocumentRoot /var/www/html/example.com
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4
SSLHonorCipherOrder on
SSLCertificateFile /etc/letsencrypt/live/www.example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.example.com/chain.pem
</VirtualHost>
Retrieved from "https://wiki.leaky.org/index.php?title=SSL&oldid=289"