• SslTlsCertificates

Buy

1. Buy an SSL cert, I'm getting a Positive SSL for 3 years ($5/yr): https://www.ssls.com/

   • Pay it up, get the credit on your account

2. Generate your CSR

       openssl genrsa 2048 > shortgirls.net_key
       openssl req -new -key shortgirls.net_key -out shortgirls.net_csr

3. Paste it in and click through for validation
4. I chose to validate the domain by uploading a file
5. I downloaded the file, uploaded it, now what..?
   • Wait a little while, you'll get a change in the UI and an email with your cert in it

Install

1. Concatenate the cert and the bundle, in that order

2. Dump files in directory, like /etc/ssl/

3. Do the nginx config

       server {
           listen 80;
           listen 443 ssl;
   
           server_name shortgirls.net ;
   
           ...
   
           ssl on;
           ssl_certificate     /etc/ssl/shortgirls.net_crt;
           ssl_certificate_key /etc/ssl/shortgirls.net_key;
   
           ssl_stapling on;
           ssl_stapling_verify on;
           resolver 8.8.8.8 8.8.4.4;
   
           include /etc/nginx/fragment/gzip;
       }

   • Restart nginx, add session caching and whatnot if you want: http://nginx.org/en/docs/http/configuring_https_servers.html#optimization

4. Test:

   • https://weakdh.org/sysadmin.html

   • https://ssllabs.com/ssltest/

   • http://checkgzipcompression.com/

   • http://gzipwtf.com/

Improvements

Useful site: https://timtaubert.de/blog/2014/10/deploying-tls-the-hard-way/

Now figured out what to make of...

OCSP stapling

http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling

Exactly which certs need to be where is unclear

HSTS

Should be as easy as adding a header, best to split your http/https blocks in the config and redirect to HTTPS always.

HPKP

More headers?

https://timtaubert.de/blog/2014/10/deploying-tls-the-hard-way/

https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning