SSL Certificates: Difference between revisions

From GRS Documentation Wiki
No edit summary
 
Line 30: Line 30:
DNS.2  = www.ruisdael.citg.tudelft.nl
DNS.2  = www.ruisdael.citg.tudelft.nl
</source>
</source>
DNS.1 and DNS.2 need to be changed to the domain for which you are trying to create an SSL certificate


== '''Generate DH parameters with OpenSSL (takes some time):''' ==
== '''Generate DH parameters with OpenSSL (takes some time):''' ==

Latest revision as of 13:35, 2 July 2024

SSL Certificates
last updated 2024-04-03
relates to ruisdael-airflow.citg.tudelft.nl, ruisdael-elastic.citg.tudelft.nl, ruisdael-kibana.citg.tudelft.nl, ruisdael-server.citg.tudelft.nl, ruisdael-wiki.citg.tudelft.nl, ruisdael.citg.tudelft.nl, wiki01.grs.tudelft.nl

How to create and renew SSL certificates

Requirements

  • webserver (nginx)

Create the configuration file (CSR) with the following structure. Ensure to change the commonName, DNS.1, DNS.2

create a CSR file with information about your server: ie. ruisdael.cfg

Place the configuration file inside /etc/ssl/ [1]

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt             = no
[ req_distinguished_name ]
countryName                = NL
stateOrProvinceName        = Zuid-Holland
localityName               = Delft
organizationName           = Delft University of Technology
commonName                 = ruisdael.citg.tudelft.nl
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = ruisdael.citg.tudelft.nl 
DNS.2   = www.ruisdael.citg.tudelft.nl

DNS.1 and DNS.2 need to be changed to the domain for which you are trying to create an SSL certificate

Generate DH parameters with OpenSSL (takes some time):

cd /etc/nginx/

openssl dhparam -out dhparam.pem 4096

Created a CSR (certificate signing request) from the config file:

Using the .cfg file, create

openssl req -new -newkey rsa:2048 -nodes -keyout ruisdael.key -out ruisdael.csr -config ruisdael.cfg

Attach the resulting CSR to a ICT SSL request

Wait for ICT response

(Received) Signed Certificate (*.pem)

ICT will send back the resulting central authority (CA) signed certificate, with .pem extension

Then:

Move SSL certificate *.pem to /etc/ssl/certs/

Move private keys (they was generated with the openssl command) *.key to /etc/ssl/private/

Webserver (nginx) configuration

Edit /etc/nginx/snippets/ruisdael.conf indicating the path of the certificate (.pem) and private key

ssl_certificate /etc/ssl/certs/ruisdael_citg_tudelft_nl.pem;
ssl_certificate_key /etc/ssl/private/ruisdael.key;


Include snippets/ruisdael.conf in nginx site config:

server {
      listen 443 ssl;
      listen [::]:443 ssl;
      include snippets/ruisdael.conf;
      include snippets/ssl-params.conf;

      root /data/reform/;
      index index.php index.html index.htm index.nginx-debian.html;
      server_name ruisdael.citg.tudelft.nl  www.ruisdael.citg.tudelft.nl;

      location / {
        try_files $uri $uri/ =404;
      }
}

server {
        listen 80;
        listen [::]:80;
        server_name ruisdael.citg.tudelft.nl www.ruisdael.citg.tudelft.nl;
        location / {
        }
        return 301 https://$server_name$request_uri;
}


Ensure that /etc/nginx/snippets/ssl-params.conf includes the following content

ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem; 
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1;
ssl_session_timeout  10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable strict transport security for now. You can uncomment the following
# line if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";


If, necessary test nginx: nginx -t

restart nginx: systemctl restart nginx

If necessary, open firewall port 80 and 443: ufw allow 80 ufw allow 44

Renew Certificates

The signed certificates have 1-year life span. After that ICT will ask you to renew the certificate.

That can be achieved by following the steps:

  • "Created a CSR (certificate signing request) from the config file:"
  • "(Received) Signed Certificate (*.pem)"

References

  1. /etc/ssl/ is simply a convention location, but is best to keep the SSL cfg files in that directory, so they can be found and reused in the future to renew the certificates