<> = Buy = 1. Buy an SSL cert, I'm getting a Positive SSL for 3 years ($5/yr): https://www.ssls.com/ * Pay it up, get the credit on your account 2. Generate your CSR {{{ openssl genrsa 2048 > shortgirls.net_key openssl req -new -key shortgirls.net_key -out shortgirls.net_csr }}} 3. Paste it in and click through for validation 4. I chose to validate the domain by uploading a file 5. I downloaded the file, uploaded it, now what..? * Wait a little while, you'll get a change in the UI and an email with your cert in it = Install = 1. Concatenate the cert and the bundle, in that order 2. Dump files in directory, like `/etc/ssl/` 3. Do the nginx config {{{ server { listen 80; listen 443 ssl; server_name shortgirls.net ; ... ssl on; ssl_certificate /etc/ssl/shortgirls.net_crt; ssl_certificate_key /etc/ssl/shortgirls.net_key; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4; include /etc/nginx/fragment/gzip; } }}} Restart nginx, add session caching and whatnot if you want: http://nginx.org/en/docs/http/configuring_https_servers.html#optimization 4. Test: * https://weakdh.org/sysadmin.html * https://ssllabs.com/ssltest/ * http://checkgzipcompression.com/ * http://gzipwtf.com/ = Improvements = Useful site: https://timtaubert.de/blog/2014/10/deploying-tls-the-hard-way/ Now figured out what to make of... == OCSP stapling == http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling Exactly which certs need to be where is unclear == HSTS == Should be as easy as adding a header, best to split your http/https blocks in the config and redirect to HTTPS always. == HPKP == More headers? https://timtaubert.de/blog/2014/10/deploying-tls-the-hard-way/