Changes between Version 6 and Version 7 of SystemAdministration/Security/TLS
- Timestamp:
- 12/02/15 12:09:50 (8 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
SystemAdministration/Security/TLS
v6 v7 1 = Creating a TLS certificate 2 == Bundle for `nginx`'s `ssl_certificate` (site, intermediate, root) 1 = Handling TLS related configuration 2 ... 3 == Creating a TLS certificate 4 ... 5 6 == Organization of TLS certificate-related files 7 There are two categories of files that need to be kept. 8 1. Files not directly relevant to production (`'/root/certstore/'` on a secure admin workstation): 9 * The certificate signing request (CSR); 10 * CSR creation config files for e.g. OpenSSL; 11 * CA and site certificates in various formats ; 12 * (This same file set for past, expired certificates.). 13 2. Files directly relevant to production (`'/etc/CLARIN_TLS/'`): 14 * The private key; 15 * Certificate bundles; 16 * Diffie-Hellman parameters. 17 {{{ 18 /etc/CLARIN_TLS/ 19 ├── [dr-xr-xr-x root root 1.0K] _.clarin.eu 20 │ ├── [-r--r--r-- root root 2.6K] OCSP_bundle.pem 21 │ ├── [-r--r--r-- root root 4.3K] bundle.pem 22 │ └── [-r-------- root root 1.6K] private_nopass.key 23 └── [-r--r--r-- root root 424] dhparam.pem 24 }}} 25 For practical reasons, our serverices use a passphrase-less (unencrypted) private key. 26 Before private key files are generated (on a secure admin workstation): 27 1. a root shell must be started, preferable a limited, secure shell such as `dash`, 28 2. unnecessary processes must be closed (e.g. graphical environment, browser), 29 3. the `umask` must be set so that no file created is every readable by someone other than the superuser, 30 4. file permissions must be double checked. 31 32 The private key should not be stored outside server hosts that critically need it, except for a minimal number of backups on secure admin workstations, always in encrypted form. 33 34 == Bundling TLS certificates 35 === Bundle for `nginx`'s `ssl_certificate` (site, intermediate, root) 3 36 {{{ 4 37 #!sh 5 38 ## as root: 6 cd '/root/certstore/ wildcard-clarin-eu-new/' &&39 cd '/root/certstore/' && 7 40 printf '\n' > 'newline' && 8 41 ## Concatenate certificates in this order for Nginx 9 cat 'clarin.eu/cert/wildcard-clarin-eu.cer' 'newline' 'clarin.eu/cert/RapidSSLSHA256CA-G3.cer' 'newline' 'clarin.eu/cert/GeoTrustGlobalCA.cer' 'newline' > 'bundle.cer' 10 dos2unix 'bundle.cer' 42 cat 'clarin.eu/cert/wildcard-clarin-eu.cer' 'newline' 'clarin.eu/cert/RapidSSLSHA256CA-G3.cer' 'newline' 'clarin.eu/cert/GeoTrustGlobalCA.cer' 'newline' > '/etc/CLARIN_TLS/_clarin.eu/bundle.cer' 43 dos2unix '/etc/CLARIN_TLS/_clarin.eu/bundle.cer' 44 chmod a=r '/etc/CLARIN_TLS/_clarin.eu/bundle.cer' 11 45 }}} 12 46 13 == Bundle for `nginx`'s `ssl_trusted_certificate` (root, intermediate)47 === Bundle for `nginx`'s `ssl_trusted_certificate` (root, intermediate) 14 48 15 49 {{{ 16 50 #!sh 17 51 ## as root: 18 cd '/root/certstore/ wildcard-clarin-eu-new/' &&52 cd '/root/certstore/' && 19 53 printf '\n' > 'newline' && 20 54 ## Concatenate certificates in this order for Nginx 21 cat 'clarin.eu/cert/GeoTrustGlobalCA.cer' 'newline' 'clarin.eu/cert/RapidSSLSHA256CA-G3.cer' 'newline' > 'trusted_bundle.cer' 22 dos2unix 'trusted_bundle.cer' 55 cat 'clarin.eu/cert/GeoTrustGlobalCA.cer' 'newline' 'clarin.eu/cert/RapidSSLSHA256CA-G3.cer' 'newline' > '/etc/CLARIN_TLS/_clarin.eu/trusted_bundle.cer' 56 dos2unix '/etc/CLARIN_TLS/_clarin.eu/trusted_bundle.cer' 57 chmod a=r '/etc/CLARIN_TLS/_clarin.eu/trusted_bundle.cer' 23 58 }}} 24 59