Created
March 17, 2015 08:49
-
-
Save John-K/050af4014c5bbf6fd812 to your computer and use it in GitHub Desktop.
Generating ECDSA CSR for Comodo PositiveSSL and loading into lighttpd
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#generate ECDSA key using secp256r1 (or as openssl knows it, prime256v1) | |
#heed warnings about this curve: http://safecurves.cr.yp.to/ | |
openssl ecparam -out kelley.ca_ec_key.pem -genkey -name prime256v1 | |
#generate your CSR | |
#note: Comodo PositiveSSL will issue the cert both with and without www. automatically if you prepend www to your CN | |
openssl req -new -key kelley.ca_ec_key.pem-nodes -out www_kelley_ca.csr -keyout www_kelley_ca.key -subj "/C=US/ST=California/L=San Francisco/O=John Kelley/CN=www.kelley.ca" | |
#submit your CSR and follow instructions | |
#download your certificate archive | |
#unpack the files | |
mkdir /etc/lighttpd/certs | |
cd /etc/lighttpd/certs | |
cp ~/www_kelley_ca.zip . | |
unzip www_kelley_ca.zip | |
#combine the cert chain into one file | |
#note: don't include AddTrustExternalCARoot.crt as it's the Root Cert and shouldn't be in your bundle | |
cat COMODOECCDomainValidationSecureServerCA.crt COMODOECCAddTrustCA.crt >> chain.crt | |
# create a pem file containing both the private key and the cert | |
cat ~/kelley.ca_ec_key.pem www_kelley_ca.crt > kelley_ca.pem | |
chown root kelley_ca.pem | |
chmod 400 keley_ca.pem | |
rm www_kelley_ca.crt | |
#add the following to lighttpd.conf | |
# TLS Config | |
$SERVER["socket"] == "kelley.ca:443" { | |
server.name = "kelley.ca" | |
server.use-ipv6 = "enable" | |
ssl.engine = "enable" | |
ssl.pemfile = "/etc/lighttpd/certs/kelley_ca.pem" | |
ssl.use-sslv2 = "disable" | |
ssl.use-sslv3 = "disable" | |
ssl.ca-file = "/etc/lighttpd/certs/chain.crt" | |
ssl.ec-curve = "prime256v1" | |
ssl.honor-cipher-order = "enable" | |
ssl.cipher-list = "AES256+EECDH:AES256+EDH:AES128+EECDH:AES128+EDH" | |
ssl.use-compression = "disable" | |
setenv.add-response-header = ( | |
"Strict-Transport-Security" => "max-age=63072000; includeSubDomains", | |
"X-Frame-Options" => "DENY", | |
"X-Content-Type-Options" => "nosniff" | |
) | |
} | |
# Forward HTTP to HTTPS | |
$HTTP["scheme"] == "http" { | |
# capture vhost name with regex conditiona -> %0 in redirect pattern | |
# must be the most inner block to the redirect rule | |
$HTTP["host"] == "kelley\.ca" { | |
url.redirect = (".*" => "https://%0$0") | |
} | |
$HTTP["host"] == "www.kelley\.ca" { | |
url.redirect = (".*" => "https://%0$0") | |
} | |
} | |
#references: | |
# https://raymii.org/s/tutorials/Strong_SSL_Security_On_lighttpd.html | |
# https://cipherli.st/ | |
# https://www.ssllabs.com/ssltest/ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment