Contents
Buy
Buy an SSL cert, I'm getting a Positive SSL for 3 years ($5/yr): https://www.ssls.com/
- Pay it up, get the credit on your account
Generate your CSR
openssl genrsa 2048 > shortgirls.net_key openssl req -new -key shortgirls.net_key -out shortgirls.net_csr- Paste it in and click through for validation
- I chose to validate the domain by uploading a file
- I downloaded the file, uploaded it, now what..?
- Wait a little while, you'll get a change in the UI and an email with your cert in it
Install
- Concatenate the cert and the bundle, in that order
Dump files in directory, like /etc/ssl/
Do the nginx config
server { listen 80; listen 443 ssl; server_name shortgirls.net ; ... ssl on; ssl_certificate /etc/ssl/shortgirls.net_crt; ssl_certificate_key /etc/ssl/shortgirls.net_key; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4; include /etc/nginx/fragment/gzip; }Restart nginx, add session caching and whatnot if you want: http://nginx.org/en/docs/http/configuring_https_servers.html#optimization
- Test:
Improvements
Useful site: https://timtaubert.de/blog/2014/10/deploying-tls-the-hard-way/
Now figured out what to make of...
OCSP stapling
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
Exactly which certs need to be where is unclear
HSTS
Should be as easy as adding a header, best to split your http/https blocks in the config and redirect to HTTPS always.
HPKP
More headers?
https://timtaubert.de/blog/2014/10/deploying-tls-the-hard-way/
https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning