Changes between Version 6 and Version 7 of SystemAdministration/Security/TLS

Timestamp:

12/02/15 12:09:50 (8 years ago)

Author:

Sander Maijers

Comment:

• ENHANCE: Add instructions for handling private keys and other relevant files.

SystemAdministration/Security/TLS

@@ -1 @@
-= Creating a TLS certificate
-== Bundle for `nginx`'s `ssl_certificate` (site, intermediate, root)
+= Handling TLS related configuration
+...
+== Creating a TLS certificate
+...
+
+== Organization of TLS certificate-related files
+There are two categories of files that need to be kept.
+1. Files not directly relevant to production (`'/root/certstore/'` on a secure admin workstation):
+* The certificate signing request (CSR);
+* CSR creation config files for e.g. OpenSSL;
+* CA and site certificates in various formats ;
+* (This same file set for past, expired certificates.).
+2. Files directly relevant to production (`'/etc/CLARIN_TLS/'`):
+* The private key;
+* Certificate bundles;
+* Diffie-Hellman parameters.
+{{{
+/etc/CLARIN_TLS/
+├── [dr-xr-xr-x root     root     1.0K]  _.clarin.eu
+│   ├── [-r--r--r-- root     root     2.6K]  OCSP_bundle.pem
+│   ├── [-r--r--r-- root     root     4.3K]  bundle.pem
+│   └── [-r-------- root     root     1.6K]  private_nopass.key
+└── [-r--r--r-- root     root      424]  dhparam.pem
+}}}
+For practical reasons, our serverices use a passphrase-less (unencrypted) private key.
+Before private key files are generated (on a secure admin workstation): 
+1. a root shell must be started, preferable a limited, secure shell such as `dash`,
+2. unnecessary processes must be closed (e.g. graphical environment, browser),
+3. the `umask` must be set so that no file created is every readable by someone other than the superuser, 
+4. file permissions must be double checked.
+
+The private key should not be stored outside server hosts that critically need it, except for a minimal number of backups on secure admin workstations, always in encrypted form.
+
+== Bundling TLS certificates
+=== Bundle for `nginx`'s `ssl_certificate` (site, intermediate, root)
 {{{
 #!sh
 ## as root:
-cd '/root/certstore/wildcard-clarin-eu-new/' &&
+cd '/root/certstore/' &&
 printf '\n' > 'newline' &&
 ## Concatenate certificates in this order for Nginx
-cat 'clarin.eu/cert/wildcard-clarin-eu.cer' 'newline' 'clarin.eu/cert/RapidSSLSHA256CA-G3.cer' 'newline' 'clarin.eu/cert/GeoTrustGlobalCA.cer' 'newline' > 'bundle.cer'
-dos2unix 'bundle.cer'
+cat 'clarin.eu/cert/wildcard-clarin-eu.cer' 'newline' 'clarin.eu/cert/RapidSSLSHA256CA-G3.cer' 'newline' 'clarin.eu/cert/GeoTrustGlobalCA.cer' 'newline' > '/etc/CLARIN_TLS/_clarin.eu/bundle.cer'
+dos2unix '/etc/CLARIN_TLS/_clarin.eu/bundle.cer'
+chmod a=r '/etc/CLARIN_TLS/_clarin.eu/bundle.cer'
 }}}
 
-== Bundle for `nginx`'s `ssl_trusted_certificate` (root, intermediate)
+=== Bundle for `nginx`'s `ssl_trusted_certificate` (root, intermediate)
 
 {{{
 #!sh
 ## as root:
-cd '/root/certstore/wildcard-clarin-eu-new/' &&
+cd '/root/certstore/' &&
 printf '\n' > 'newline' &&
 ## Concatenate certificates in this order for Nginx
-cat 'clarin.eu/cert/GeoTrustGlobalCA.cer' 'newline' 'clarin.eu/cert/RapidSSLSHA256CA-G3.cer' 'newline' > 'trusted_bundle.cer'
-dos2unix 'trusted_bundle.cer'
+cat 'clarin.eu/cert/GeoTrustGlobalCA.cer' 'newline' 'clarin.eu/cert/RapidSSLSHA256CA-G3.cer' 'newline' > '/etc/CLARIN_TLS/_clarin.eu/trusted_bundle.cer'
+dos2unix '/etc/CLARIN_TLS/_clarin.eu/trusted_bundle.cer'
+chmod a=r '/etc/CLARIN_TLS/_clarin.eu/trusted_bundle.cer'
 }}}