## page was renamed from SslTesting <> = Buy = 1. Buy an SSL cert, I'm getting a PositiveSSL Wildcard for 5 years ($39 USD/yr): https://www.ssls.com/ 2. Let them generate the key and CSR, it's easier 3. Get the domain ownership verification email sent to admin@thighhighs.top and follow the steps to enter the verification code 4. Wait for domain validation to happen on their backend 5. Download the archive containing the cert and CA chain bundle = Install = Updated for November 2025, there's some small changes to my environment, and the files that I get from the provider. Notably, the trust root is now "Sectigo Public Server Authentication Root R46" (a completely different chain compared to last year). And although that root is trusted by my browser, the cert bundle actually includes a higher CA that has signed it for trust: USERTrust RSA Certification Authority. That cert is self-signed and included in the bundle. What's also interesting is that last year, the bundle included a CA about ''that'' one, being signed by AAA Certificate Services. Anyway it doesn't matter now. 1. Copy the new key, cert, and chain ("bundle") to the server, probably illustrious, to `/etc/ssl` using date-based filenames: {{{ STAR_thighhighs_top.key.2025 STAR_thighhighs_top.crt.2025 STAR_thighhighs_top.ca-bundle.2025 }}} 2. Concatenate the cert and the chain/bundle, in that order, this is a general purpose cert file now (apps that only want the leaf cert will just read the first cert in the file) {{{ cat STAR_thighhighs_top.crt.2025 STAR_thighhighs_top.ca-bundle.2025 > STAR_thighhighs_top.crtbundled.2025 }}} 3. Generate the .p12 file for things that might need it, one of these will do. I only just figured out how to include the chain in the p12 {{{ # no chain in P12 openssl pkcs12 -export -legacy \ -inkey STAR_thighhighs_top.key.2025 \ -in STAR_thighhighs_top.crt.2025 \ -out STAR_thighhighs_top.p12.2025 \ -name unifi -password pass:unifi # with chain in P12 openssl pkcs12 -export -legacy \ -chain -untrusted STAR_thighhighs_top.ca-bundle.2025 \ -inkey STAR_thighhighs_top.key.2025 \ -in STAR_thighhighs_top.crt.2025 \ -out STAR_thighhighs_top.p12.2025 \ -name unifi -password pass:unifi }}} 4. Update all the symlinks for apps that use certs {{{ ln -sf STAR_thighhighs_top.ca-bundle.2025 STAR_thighhighs_top.ca-bundle ln -sf STAR_thighhighs_top.crt.2025 STAR_thighhighs_top.crt ln -sf STAR_thighhighs_top.crtbundled.2025 STAR_thighhighs_top.crtbundled ln -sf STAR_thighhighs_top.key.2025 STAR_thighhighs_top.key ln -sf STAR_thighhighs_top.p12.2025 STAR_thighhighs_top.p12 }}} 5. Go fix up configs or restart services that use the cert * Pihole with lighttpd: [[servers/calico#TLS_support]] * Caddy: `systemctl restart caddy` * nginx support {{{ server { listen 80; listen 443 ssl; server_name thighhighs.top ; ... ssl on; ssl_certificate /etc/ssl/STAR_thighhighs_top.combined.pem; ssl_certificate_key /etc/ssl/STAR_thighhighs_top.key; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4; include /etc/nginx/fragment/gzip; } }}} Restart nginx, add session caching and whatnot if you want: http://nginx.org/en/docs/http/configuring_https_servers.html#optimization * Fix up the Unifi controller, these notes are a bit stale as it's not containerised, but it's basically correct: [[UnifiController#A_real_signed_SSL_cert_for_the_controller]] * The Synology NAS uses individual key/cert/chain files; instead of Action-Renew just use Add-Replace; set it as the default system cert * Update fenny as well, the Asustor Flashstor NAS. Its interface is surprisingly almost identical to Synology: Add, Replace, Import, upload the three files 6. Test: * https://ssllabs.com/ssltest/ * https://weakdh.org/sysadmin.html = Improvements = Useful site: https://timtaubert.de/blog/2014/10/deploying-tls-the-hard-way/ Now figured out what to make of... == OCSP stapling == http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling Exactly which certs need to be where is unclear == HSTS == Should be as easy as adding a header, best to split your http/https blocks in the config and redirect to HTTPS always.