Handling TLS related configuration
...
Creating a TLS certificate
...
Organization of TLS certificate-related files
There are two categories of files that need to be kept.
- Files not directly relevant to production (
'/root/certstore/'
on a secure admin workstation):
- The certificate signing request (CSR);
- CSR creation config files for e.g. OpenSSL;
- CA and site certificates in various formats ;
- (This same file set for past, expired certificates.).
- Files directly relevant to production (
'/etc/CLARIN_TLS/'
):
- The private key;
- Certificate bundles;
- Diffie-Hellman parameters.
/etc/CLARIN_TLS/ ├── [dr-xr-xr-x root root 1.0K] _.clarin.eu │ ├── [-r--r--r-- root root 2.6K] OCSP_bundle.pem │ ├── [-r--r--r-- root root 4.3K] bundle.pem │ └── [-r-------- root root 1.6K] private_nopass.key └── [-r--r--r-- root root 424] dhparam.pem
For practical reasons, our services use a passphrase-less (unencrypted) private key. Before private key files are generated (on a secure admin workstation):
- A root shell must be used for it (preferably a limited, secure shell such as
dash
). - Unnecessary processes must be closed (e.g. graphical environment, browser).
- The
umask
must be set so that no file created is ever readable by someone other than the superuser. - File permissions must be double checked after completing the work.
The private key should not be stored outside server hosts that critically need it, except for a minimal number of backups on secure admin workstations, always in encrypted form.
Bundling TLS certificates
Bundle for nginx
's ssl_certificate
(site, intermediate, root)
## as root: cd '/root/certstore/' && printf '\n' > 'newline' && ## Concatenate certificates in this order for Nginx cat 'clarin.eu/cert/wildcard-clarin-eu.cer' 'newline' 'clarin.eu/cert/RapidSSLSHA256CA-G3.cer' 'newline' 'clarin.eu/cert/GeoTrustGlobalCA.cer' 'newline' > '/etc/CLARIN_TLS/_clarin.eu/bundle.cer' dos2unix '/etc/CLARIN_TLS/_clarin.eu/bundle.cer' chmod a=r '/etc/CLARIN_TLS/_clarin.eu/bundle.cer'
Bundle for nginx
's ssl_trusted_certificate
(root, intermediate)
## as root: cd '/root/certstore/' && printf '\n' > 'newline' && ## Concatenate certificates in this order for Nginx cat 'clarin.eu/cert/GeoTrustGlobalCA.cer' 'newline' 'clarin.eu/cert/RapidSSLSHA256CA-G3.cer' 'newline' > '/etc/CLARIN_TLS/_clarin.eu/trusted_bundle.cer' dos2unix '/etc/CLARIN_TLS/_clarin.eu/trusted_bundle.cer' chmod a=r '/etc/CLARIN_TLS/_clarin.eu/trusted_bundle.cer'
Testing connectivity to an HTTPS web server that uses Server Name Indication
If you have e.g. a Docker container listening on 127.0.0.1, port 443, issue:
curl -v -4 --resolve 'infra.clarin.eu:443:127.0.0.1' --resolve 'infra.clarin.eu:80:127.0.0.1' 'https://infra.clarin.eu/'
Last modified 8 years ago
Last modified on 12/02/15 13:28:33