You do not have permission to edit this page, for the following reason:
The action you have requested is limited to users in the group: Users.
Free text:
How to create and renew SSL certificates == Requirements == * webserver (nginx) == '''Create the configuration file (CSR)''' with the following structure. Ensure to change the <code>commonName</code>, <code>DNS.1</code>, <code>DNS.2</code> == create a CSR file with information about your server: ie. ruisdael.cfg Place the configuration file inside <code>/etc/ssl/</code> <ref><code>/etc/ssl/</code> is simply a convention location, but is best to keep the SSL cfg files in that directory, so they can be found and reused in the future to renew the certificates</ref> <source> [ req ] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext prompt = no [ req_distinguished_name ] countryName = NL stateOrProvinceName = Zuid-Holland localityName = Delft organizationName = Delft University of Technology commonName = ruisdael.citg.tudelft.nl [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = ruisdael.citg.tudelft.nl DNS.2 = www.ruisdael.citg.tudelft.nl </source> DNS.1 and DNS.2 need to be changed to the domain for which you are trying to create an SSL certificate == '''Generate DH parameters with OpenSSL (takes some time):''' == <code>cd /etc/nginx/</code> <code>openssl dhparam -out dhparam.pem 4096</code> == '''Created a CSR (certificate signing request) from the config file:''' == Using the .cfg file, create <code>openssl req -new -newkey rsa:2048 -nodes -keyout ruisdael.key -out ruisdael.csr -config ruisdael.cfg</code> Attach the resulting CSR to a [https://tudelft.topdesk.net/tas/public/ssp/content/serviceflow?unid=62aeef08314247f3aba7ff2297d011da ICT SSL request] Wait for ICT response == '''(Received) Signed Certificate (*.pem)''' == '''ICT will send back the resulting central authority (CA) signed certificate, with .pem extension''' Then: Move SSL certificate <code>*.pem</code> to <code>/etc/ssl/certs/</code> Move private keys (they was generated with the openssl command) <code>*.key</code> to <code>/etc/ssl/private/</code> == '''Webserver (nginx) configuration''' == Edit <code>/etc/nginx/snippets/ruisdael.conf</code> indicating the path of the certificate (.pem) and private key <source> ssl_certificate /etc/ssl/certs/ruisdael_citg_tudelft_nl.pem; ssl_certificate_key /etc/ssl/private/ruisdael.key; </source> Include <code>snippets/ruisdael.conf</code> in nginx site config: <source lang=conf> server { listen 443 ssl; listen [::]:443 ssl; include snippets/ruisdael.conf; include snippets/ssl-params.conf; root /data/reform/; index index.php index.html index.htm index.nginx-debian.html; server_name ruisdael.citg.tudelft.nl www.ruisdael.citg.tudelft.nl; location / { try_files $uri $uri/ =404; } } server { listen 80; listen [::]:80; server_name ruisdael.citg.tudelft.nl www.ruisdael.citg.tudelft.nl; location / { } return 301 https://$server_name$request_uri; } </source> Ensure that <code>/etc/nginx/snippets/ssl-params.conf</code> includes the following content <source lang=conf> ssl_protocols TLSv1.3; ssl_prefer_server_ciphers on; ssl_dhparam /etc/nginx/dhparam.pem; ssl_ciphers EECDH+AESGCM:EDH+AESGCM; ssl_ecdh_curve secp384r1; ssl_session_timeout 10m; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; # Disable strict transport security for now. You can uncomment the following # line if you understand the implications. #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; </source> If, necessary test nginx: <code>nginx -t</code> restart nginx: <code>systemctl restart nginx</code> If necessary, open firewall port 80 and 443: <code>ufw allow 80</code> <code>ufw allow 44</code> == '''Renew Certificates''' == '''The signed certificates have 1-year life span. After that ICT will ask you to renew the certificate.''' That can be achieved by following the steps: * "'''Created a CSR (certificate signing request) from the config file:"''' * '''"(Received) Signed Certificate (*.pem)"''' =References= <references/>
