HxHippy

SSL/TLS Certificates

SSL/TLS certificate management, best practices, and implementation.

Last updated: 2025-01-15

SSL/TLS Certificates

Secure communication with properly configured SSL/TLS certificates.

Certificate Types

Type Validation Use Case
DV (Domain) Domain ownership Basic encryption
OV (Organization) Company verification Business sites
EV (Extended) Thorough vetting Financial/e-commerce
Wildcard *.domain.com Multiple subdomains
SAN Multiple domains Multi-domain certs

Generate Certificates

Self-Signed (Development)

# Generate private key and certificate
openssl req -x509 -nodes -days 365 -newkey rsa:4096 \
    -keyout server.key -out server.crt \
    -subj "/CN=localhost/O=Dev/C=US"

# Generate with SAN
openssl req -x509 -nodes -days 365 -newkey rsa:4096 \
    -keyout server.key -out server.crt \
    -subj "/CN=example.com" \
    -addext "subjectAltName=DNS:example.com,DNS:www.example.com"

CSR for CA-Signed

# Generate key and CSR
openssl req -new -newkey rsa:4096 -nodes \
    -keyout server.key -out server.csr \
    -subj "/CN=example.com/O=Company/C=US"

# View CSR
openssl req -text -noout -in server.csr

Certbot

# Install certbot
sudo apt install certbot python3-certbot-nginx

# Obtain certificate
sudo certbot --nginx -d example.com -d www.example.com

# Certificate only (no nginx config)
sudo certbot certonly --webroot -w /var/www/html -d example.com

# Renew certificates
sudo certbot renew --dry-run

Auto-Renewal

# Certbot creates a timer automatically
sudo systemctl status certbot.timer

# Manual cron (if needed)
0 0,12 * * * certbot renew --quiet

Verify Certificates

# View certificate details
openssl x509 -text -noout -in server.crt

# Check expiration
openssl x509 -enddate -noout -in server.crt

# Verify certificate chain
openssl verify -CAfile ca-bundle.crt server.crt

# Test remote SSL
openssl s_client -connect example.com:443 -servername example.com

TLS Best Practices

# Strong cipher configuration (nginx)
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;

# HSTS header
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;

Certificate Storage

# Secure key permissions
chmod 600 /etc/ssl/private/server.key
chmod 644 /etc/ssl/certs/server.crt
chown root:root /etc/ssl/private/server.key
intermediate Encryption Updated 2025-01-15
  • ssl
  • tls
  • certificates
  • https
  • encryption
  • openssl