More and more people reconfigured their sites to ssl connection. So I decided to use ssl certificate and secure connection on my blogs too.
The Chinese CA WoSign offers free SSL certificates which are valid for 2 years and may contain up to 100 domains each (multi-domain/SAN/UCC) which is very useful to host various domains on one single IP address (Better option than SNI if you still have Windows XP clients). Before you stop reading because you don't trust a Chinese company for your website encryption please keep in mind that you don't have to trust them at all! You generate the SSL key on your server and only send them the CSR (certificate signing request) which doesn't contain any private information.
Let’s get the certificate
1. Visit https://buy.wosign.com/free/ and register account. Use google translate.
2. Enter the domain(s) that should be included in the SSL certificate in the first textbox, one per line. If you just enter "blog.vovando.dev", you will get the subdomain "www.blog.vovando.dev" automatically.
3. Leaving the defaults is generally recommended: 3 year period, English language and SHA2 algorithm
4. Verify the domain(s) via either email to a special email account or via a special file you have to upload to http://blog.vovando.dev/blog.vovando.dev.html
5. Login to your webserver via SSH and generate a new SSL key and a Certificate Signing Request (CSR), for example with this command:
openssl req -out blog.vovando.dev.csr -new -sha256 -newkey rsa:2048 -nodes -keyout blog.vovando.dev.key
6. Select "Option 2: Generate by myself" to paste the CSR you just generated. You should never use the first Option since that implies that you are not the sole owner of your SSL key
7. Enter your email address and select a new password if you don't have a WoSign account yet.
8. Enter the captcha code, confirm the terms and conditions and Submit the request
9. The next page will confirm the request and show an estimated time of delivery. Keep in mind that the certificates are manually reviewed during Beijing-time business hours so it might take a few hours until you get the certificate
10. Next you will recieve an email with a link to a ZIP file containing your certificate.
11. Download it.
12. Now we need to set up a Web server (in my case Nginx) to work with the certificate.
- Obtain all the intermediate certificates into ssl directory:
cd /path/to/ssl
wget -O – https://www.startssl.com/certs/ca.pem | tee -a ca-certs.pem > /dev/null
wget -O – https://www.startssl.com/certs/sub.class1.server.ca.pem | tee -a ca-certs.pem > /dev/null
wget -O – http://aia.startssl.com/certs/ca.crt | openssl x509 -inform DER -outform PEM | tee -a ca-certs.pem > /dev/null
wget -O – http://aia1.wosign.com/ca1g2-server1-free.cer | openssl x509 -inform DER -outform PEM | tee -a ca-certs.pem > /dev/null
wget -O – http://aia6.wosign.com/ca6.server1.free.cer | openssl x509 -inform DER -outform PEM | tee -a ca-certs.pem > /dev/null
make sure to configure OCSP stapling on your webserver since WoSign only operates OCSP responders in China which results in a bad latency for western visitors where the browser queries the OCSP responder before opening the connection. It might as well result in a privacy issue since WoSign a.k.a "the Chinese" know who visits which website. With OCSP stapling you effectively mitigate both problems.
- Add conf below to /etc/nginx/nginx.conf
######################################################### # # ssl_session_cache shared:SSL:10m; ssl_session_timeout 5m; ssl_prefer_server_ciphers on; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate "/etc/nginx/ssl/ca-certs.pem"; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; # # #########################################################
- Add to your domain configuration
#########################################################
#
ssl on;
ssl_certificate /etc/nginx/ssl/blog.vovando.dev_bundle.crt.crt;
ssl_certificate_key /etc/nginx/ssl/blog.vovando.dev.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'HIGH:!aNULL:!MD5:!kEDH';
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
#
#########################################################
- Reload Nginx
service nginx reload
13. Make sure to test your implementation on the awesome Qualys SSL Labs server test
or in cli
openssl s_client -connect blog.vovando.dev:443 -tls1 -tlsextdebug -status
I would be happy to answer any questions you have!
Stay tuned!