SSL Certificates
SSL Certificates | |
---|---|
last updated | 2024-04-03 |
relates to | ruisdael-airflow.citg.tudelft.nl, ruisdael-elastic.citg.tudelft.nl, ruisdael-kibana.citg.tudelft.nl, ruisdael-server.citg.tudelft.nl, ruisdael-wiki.citg.tudelft.nl, ruisdael.citg.tudelft.nl, wiki01.grs.tudelft.nl |
How to create and renew SSL certificates
Requirements
- webserver (nginx)
Create the configuration file (CSR) with the following structure. Ensure to change the commonName
, DNS.1
, DNS.2
create a CSR file with information about your server: ie. ruisdael.cfg
Place the configuration file inside /etc/ssl/
[1]
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
countryName = NL
stateOrProvinceName = Zuid-Holland
localityName = Delft
organizationName = Delft University of Technology
commonName = ruisdael.citg.tudelft.nl
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = ruisdael.citg.tudelft.nl
DNS.2 = www.ruisdael.citg.tudelft.nl
DNS.1 and DNS.2 need to be changed to the domain for which you are trying to create an SSL certificate
Generate DH parameters with OpenSSL (takes some time):
cd /etc/nginx/
openssl dhparam -out dhparam.pem 4096
Created a CSR (certificate signing request) from the config file:
Using the .cfg file, create
openssl req -new -newkey rsa:2048 -nodes -keyout ruisdael.key -out ruisdael.csr -config ruisdael.cfg
Attach the resulting CSR to a ICT SSL request
Wait for ICT response
(Received) Signed Certificate (*.pem)
ICT will send back the resulting central authority (CA) signed certificate, with .pem extension
Then:
Move SSL certificate *.pem
to /etc/ssl/certs/
Move private keys (they was generated with the openssl command) *.key
to /etc/ssl/private/
Webserver (nginx) configuration
Edit /etc/nginx/snippets/ruisdael.conf
indicating the path of the certificate (.pem) and private key
ssl_certificate /etc/ssl/certs/ruisdael_citg_tudelft_nl.pem;
ssl_certificate_key /etc/ssl/private/ruisdael.key;
Include snippets/ruisdael.conf
in nginx site config:
server {
listen 443 ssl;
listen [::]:443 ssl;
include snippets/ruisdael.conf;
include snippets/ssl-params.conf;
root /data/reform/;
index index.php index.html index.htm index.nginx-debian.html;
server_name ruisdael.citg.tudelft.nl www.ruisdael.citg.tudelft.nl;
location / {
try_files $uri $uri/ =404;
}
}
server {
listen 80;
listen [::]:80;
server_name ruisdael.citg.tudelft.nl www.ruisdael.citg.tudelft.nl;
location / {
}
return 301 https://$server_name$request_uri;
}
Ensure that /etc/nginx/snippets/ssl-params.conf
includes the following content
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable strict transport security for now. You can uncomment the following
# line if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
If, necessary test nginx: nginx -t
restart nginx: systemctl restart nginx
If necessary, open firewall port 80 and 443: ufw allow 80
ufw allow 44
Renew Certificates
The signed certificates have 1-year life span. After that ICT will ask you to renew the certificate.
That can be achieved by following the steps:
- "Created a CSR (certificate signing request) from the config file:"
- "(Received) Signed Certificate (*.pem)"
References
- ↑
/etc/ssl/
is simply a convention location, but is best to keep the SSL cfg files in that directory, so they can be found and reused in the future to renew the certificates