Skip to content

Instantly share code, notes, and snippets.

@John-K
Created March 17, 2015 08:49
Show Gist options
  • Save John-K/050af4014c5bbf6fd812 to your computer and use it in GitHub Desktop.
Save John-K/050af4014c5bbf6fd812 to your computer and use it in GitHub Desktop.
Generating ECDSA CSR for Comodo PositiveSSL and loading into lighttpd
#generate ECDSA key using secp256r1 (or as openssl knows it, prime256v1)
#heed warnings about this curve: http://safecurves.cr.yp.to/
openssl ecparam -out kelley.ca_ec_key.pem -genkey -name prime256v1
#generate your CSR
#note: Comodo PositiveSSL will issue the cert both with and without www. automatically if you prepend www to your CN
openssl req -new -key kelley.ca_ec_key.pem-nodes -out www_kelley_ca.csr -keyout www_kelley_ca.key -subj "/C=US/ST=California/L=San Francisco/O=John Kelley/CN=www.kelley.ca"
#submit your CSR and follow instructions
#download your certificate archive
#unpack the files
mkdir /etc/lighttpd/certs
cd /etc/lighttpd/certs
cp ~/www_kelley_ca.zip .
unzip www_kelley_ca.zip
#combine the cert chain into one file
#note: don't include AddTrustExternalCARoot.crt as it's the Root Cert and shouldn't be in your bundle
cat COMODOECCDomainValidationSecureServerCA.crt COMODOECCAddTrustCA.crt >> chain.crt
# create a pem file containing both the private key and the cert
cat ~/kelley.ca_ec_key.pem www_kelley_ca.crt > kelley_ca.pem
chown root kelley_ca.pem
chmod 400 keley_ca.pem
rm www_kelley_ca.crt
#add the following to lighttpd.conf
# TLS Config
$SERVER["socket"] == "kelley.ca:443" {
server.name = "kelley.ca"
server.use-ipv6 = "enable"
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/certs/kelley_ca.pem"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
ssl.ca-file = "/etc/lighttpd/certs/chain.crt"
ssl.ec-curve = "prime256v1"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "AES256+EECDH:AES256+EDH:AES128+EECDH:AES128+EDH"
ssl.use-compression = "disable"
setenv.add-response-header = (
"Strict-Transport-Security" => "max-age=63072000; includeSubDomains",
"X-Frame-Options" => "DENY",
"X-Content-Type-Options" => "nosniff"
)
}
# Forward HTTP to HTTPS
$HTTP["scheme"] == "http" {
# capture vhost name with regex conditiona -> %0 in redirect pattern
# must be the most inner block to the redirect rule
$HTTP["host"] == "kelley\.ca" {
url.redirect = (".*" => "https://%0$0")
}
$HTTP["host"] == "www.kelley\.ca" {
url.redirect = (".*" => "https://%0$0")
}
}
#references:
# https://raymii.org/s/tutorials/Strong_SSL_Security_On_lighttpd.html
# https://cipherli.st/
# https://www.ssllabs.com/ssltest/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment