SSL/TLS Certificates
Secure communication with properly configured SSL/TLS certificates.
Certificate Types
| Type | Validation | Use Case |
|---|---|---|
| DV (Domain) | Domain ownership | Basic encryption |
| OV (Organization) | Company verification | Business sites |
| EV (Extended) | Thorough vetting | Financial/e-commerce |
| Wildcard | *.domain.com | Multiple subdomains |
| SAN | Multiple domains | Multi-domain certs |
Generate Certificates
Self-Signed (Development)
# Generate private key and certificate
openssl req -x509 -nodes -days 365 -newkey rsa:4096 \
-keyout server.key -out server.crt \
-subj "/CN=localhost/O=Dev/C=US"
# Generate with SAN
openssl req -x509 -nodes -days 365 -newkey rsa:4096 \
-keyout server.key -out server.crt \
-subj "/CN=example.com" \
-addext "subjectAltName=DNS:example.com,DNS:www.example.com"CSR for CA-Signed
# Generate key and CSR
openssl req -new -newkey rsa:4096 -nodes \
-keyout server.key -out server.csr \
-subj "/CN=example.com/O=Company/C=US"
# View CSR
openssl req -text -noout -in server.csrLet's Encrypt (Recommended)
Certbot
# Install certbot
sudo apt install certbot python3-certbot-nginx
# Obtain certificate
sudo certbot --nginx -d example.com -d www.example.com
# Certificate only (no nginx config)
sudo certbot certonly --webroot -w /var/www/html -d example.com
# Renew certificates
sudo certbot renew --dry-runAuto-Renewal
# Certbot creates a timer automatically
sudo systemctl status certbot.timer
# Manual cron (if needed)
0 0,12 * * * certbot renew --quietVerify Certificates
# View certificate details
openssl x509 -text -noout -in server.crt
# Check expiration
openssl x509 -enddate -noout -in server.crt
# Verify certificate chain
openssl verify -CAfile ca-bundle.crt server.crt
# Test remote SSL
openssl s_client -connect example.com:443 -servername example.comTLS Best Practices
# Strong cipher configuration (nginx)
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
# HSTS header
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;Certificate Storage
# Secure key permissions
chmod 600 /etc/ssl/private/server.key
chmod 644 /etc/ssl/certs/server.crt
chown root:root /etc/ssl/private/server.key - ssl
- tls
- certificates
- https
- encryption
- openssl