Handling TLS related configuration

...

Creating a TLS certificate

...

Organization of TLS certificate-related files

There are two categories of files that need to be kept.

1. Files not directly relevant to production ('/root/certstore/' on a secure admin workstation):

• The certificate signing request (CSR);
• CSR creation config files for e.g. OpenSSL;
• CA and site certificates in various formats ;
• (This same file set for past, expired certificates.).

2. Files directly relevant to production ('/etc/CLARIN_TLS/'):

• The private key;
• Certificate bundles;
• Diffie-Hellman parameters.

  /etc/CLARIN_TLS/
  ├── [dr-xr-xr-x root     root     1.0K]  _.clarin.eu
  │   ├── [-r--r--r-- root     root     2.6K]  OCSP_bundle.pem
  │   ├── [-r--r--r-- root     root     4.3K]  bundle.pem
  │   └── [-r-------- root     root     1.6K]  private_nopass.key
  └── [-r--r--r-- root     root      424]  dhparam.pem
  

For practical reasons, our services use a passphrase-less (unencrypted) private key. Before private key files are generated (on a secure admin workstation):

1. A root shell must be used for it (preferably a limited, secure shell such as dash).
2. Unnecessary processes must be closed (e.g. graphical environment, browser).
3. The umask must be set so that no file created is ever readable by someone other than the superuser.
4. File permissions must be double checked after completing the work.

The private key should not be stored outside server hosts that critically need it, except for a minimal number of backups on secure admin workstations, always in encrypted form.

Bundling TLS certificates

Bundle for nginx's ssl_certificate (site, intermediate, root)

## as root:
cd '/root/certstore/' &&
printf '\n' > 'newline' &&
## Concatenate certificates in this order for Nginx
cat 'clarin.eu/cert/wildcard-clarin-eu.cer' 'newline' 'clarin.eu/cert/RapidSSLSHA256CA-G3.cer' 'newline' 'clarin.eu/cert/GeoTrustGlobalCA.cer' 'newline' > '/etc/CLARIN_TLS/_clarin.eu/bundle.cer'
dos2unix '/etc/CLARIN_TLS/_clarin.eu/bundle.cer'
chmod a=r '/etc/CLARIN_TLS/_clarin.eu/bundle.cer'

Bundle for nginx's ssl_trusted_certificate (root, intermediate)

## as root:
cd '/root/certstore/' &&
printf '\n' > 'newline' &&
## Concatenate certificates in this order for Nginx
cat 'clarin.eu/cert/GeoTrustGlobalCA.cer' 'newline' 'clarin.eu/cert/RapidSSLSHA256CA-G3.cer' 'newline' > '/etc/CLARIN_TLS/_clarin.eu/trusted_bundle.cer'
dos2unix '/etc/CLARIN_TLS/_clarin.eu/trusted_bundle.cer'
chmod a=r '/etc/CLARIN_TLS/_clarin.eu/trusted_bundle.cer'

Testing connectivity to an HTTPS web server that uses Server Name Indication

If you have e.g. a Docker container listening on 127.0.0.1, port 443, issue:

curl -v -4 --resolve 'infra.clarin.eu:443:127.0.0.1' --resolve 'infra.clarin.eu:80:127.0.0.1' 'https://infra.clarin.eu/'