SSL Certs – The Important Stuff

Posted bygutter007Posted inUncategorizedTags:, , ,

What is an SSL Cert?

First, Cert is short for certificate. An SSL Cert, or more accurately TLS cert, is essentially a public key, and private key, that allows a website, and its users to encrypt the data they send each other.

An SSL cert goes one step further, in that a trusted third party validates the certificate is valid. When a certificate is generated by a user and the public Certificate Authority (CA), the cert will consists of the following parts:

  • private key
  • Certificate Signing Request (CSR)
  • Certificate
  • Intermediate Security Chain

There a few different types of Certificates. In this case, we’ll focus on the most basic type you can get from a public certificate provider. Domain Validated (DV) – Single domain.

Creating a Cert Yourself

To generate a Cert yourself, you must first generate a public key and a Certificate Signing Request (CSR). The CSR contains encoded information about who is requesting the certificate, their location, and the domain name of the certificate.

When generating a certificate, you can use the openssl command in a terminal. It will prompt a user for the location, company name, and group name of the requestor. It will also ask for the Fully Qualified Domain Name (FQDN). This is the url of the certificate. The FQDN must match the domain it is using exactly. 

>> openssl req -new -newkey rsa:2048 -nodes -keyout <priate_key_path_and_name> -out <csr_path_and_name>
# EX:
>> openssl req -new -newkey rsa:2048 -nodes -keyout ~/certs/gobananas.example.com.key -out gobananas.example.com.csr

.....+......+........+...+...+.+.....+++++++++++++++++++++++++++++++++++++++*.+.+...+...+++++++++++++++++++++++++++++++++++++++*.......+..+.+............+...+...+.........+..+.++++++
.+....+..............+....+...........+......+.+.....+++++++++++++++++++++++++++++++++++++++*.........+++++++++++++++++++++++++++++++++++++++*....+.+...+..+....+...+..+.+........+.+...+...........+......+..........+...........+...+............++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:South Dakota
Locality Name (eg, city) []:Rapid City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Bananaanana
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:gobananas.example.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

The command above will create two files.

  • private key
  • Certificate Signing Request (CSR)

To create a certificate, you must take this information to a Trusted Authority, that will then generate a Certificate for you. There are many popular ones. Usually places that allow to register domains, also sell certificates.

  • DigiCert $$$
  • GoDaddy $$$
  • Comodo
  • Many Many More … use your googles.

There are also a number of free services as well.

A site will ask you to send them the CSR, (NOT THE PRIVATE CERTIFICATE). It will then validate that you are authorized to have a certificate for this site. There are a few ways to validate this:

  1. The certificate is being purchased at the same store that the domain was registered at.
  2. DNS – A text record will be generated, and it must be applied to the domains dns. This proves you have access to the DNS. DNS access proves you are the owner of the domain
  3. HTML – a small block of HTML code must be served by your application website. This proves you have access to the application server, which can only be found if the DNS is set correctly, therefore you are the owner of the domain.

After submission, the Certificate Authority will generate the certificate. You can then download the Cert.

The Issued Certificate will contain 2 parts:

  1. Primary Certificate
  2. Intermediate Certificate

What do I do with the Certificate?

This is where things can get tricky. Every web server, or hosting provider seems to do things a little bit differently. That makes the types of certificates, types of encryption, the format of the key and certificate files can all be a little different, making setup difficult. I’ll show an example using nginx server. It you are using something different, please review the documentation of the server tools for details.

NGINX:

To configure your nginx server, you will have to update the server block as follows:

server {

listen   443;

ssl    on;
ssl_certificate    /etc/ssl/merged_crt_and_intermediate.crt;
ssl_certificate_key    /etc/ssl/ssl_private.key;

To create the merged_crt_and_intermediate.pem file, you must concatenate the certifcate file with intermediate certificates

>> cat ssl_crt.crt intermediate_crt > merged_crt_and_intermediate.crt

The private key generated earlier and the new merged_crt file need to be placed on the server in the /etc/ssl/ directory.

Restart nginx, then ssl should be working on the server configured. 

Validation – How Do I Know It’s Working?!

So the certificate is generated, and it is installed correctly, and the server starts up correctly, how do you know it’s working correctly?

>> curl -lv https://gobanana.example.com -o /dev/null

This command fetches the site banana.example.com, It prints out all of the headers, and ssl information, and the body of the site is NOT displayed. This makes it easy to view the certificate.

It will print out a lot of info, but this is the block you are looking for:

* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=gobanana.example.com
*  start date: Dec 20 04:58:36 2023 GMT
*  expire date: Mar 19 04:58:35 2024 GMT
*  subjectAltName: host "banana.example.com" matched cert's "gobanana.example.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.

Review this to make sure that the date, issuer, and subject and subjectAltName, match what you expect the cert to be.

If this is not the base, you must troubleshoot the cert. Possible reasons for it not being correct:

  1. subject doesn’t match the cert installed
  2. The server was not restarted, so it is still using an old cert
  3. There is a proxy server in front of the server, using a different certificate.
  4. The server was not configured properly.

Leave a comment