Created
October 15, 2014 09:10
-
-
Save jhancock/aa508399992a543650fe to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ######################### | |
| ## SSL for dev ## | |
| ######################### | |
| openssl genrsa -des3 -passout pass:x -out dev.mydomain.pass.key 2048 | |
| openssl rsa -passin pass:x -in dev.mydomain.pass.key -out dev.mydomain.key | |
| rm dev.mydomain.pass.key | |
| openssl req -new -key dev.mydoamin.key -out dev.mydomain.csr | |
| # press enter when asked for password | |
| openssl x509 -req -days 365 -in dev.mydomain.csr -signkey dev.mydomain.key -out dev.mydomain.crt | |
| openssl dhparam -out dev.mydomain.dhparam.pem 2048 | |
| # ensure dev.mydomain.key is not stored in git | |
| ######################### | |
| ## SSL for prod ## | |
| ######################### | |
| openssl genrsa -des3 -passout pass:x -out mydomain.pass.key 2048 | |
| openssl rsa -passin pass:x -in mydomain.pass.key -out mydomain.key | |
| rm mydomain.pass.key | |
| openssl req -new -key mydomain.key -out mydomain.csr | |
| # press enter when asked for password | |
| # This line completed by Comodo SSL service | |
| #openssl x509 -req -days 365 -in mydomain.csr -signkey mydomain.key -out mydomain.crt | |
| openssl dhparam -out mydomain.dhparam.pem 2048 | |
| # ensure mydomain.key is not stored in git | |
| # verify cert. The md5 of both commands should be the same | |
| openssl rsa -noout -modulus -in mydomain.key | openssl md5 | |
| # use the main crt, not the full bundle | |
| openssl x509 -noout -modulus -in mydomain_com.crt | openssl md5 | |
| ######################### | |
| ## SSL Stapling OCSP ## | |
| ######################### | |
| ####### Verify Start ######### | |
| # verify stapling is working | |
| openssl s_client -connect mydomain.com:443 -tls1 -tlsextdebug -status | |
| # output should include: | |
| OCSP response: | |
| ====================================== | |
| OCSP Response Data: | |
| OCSP Response Status: successful (0x0) | |
| Response Type: Basic OCSP Response | |
| ######## Verify End ######### | |
| ##### Firewall Start ###### | |
| # do this to see what URLs need to be unblocked with firewall for outgoing connections | |
| # https://raymii.org/s/tutorials/OCSP_Stapling_on_nginx.html | |
| # the following command does not work on OS X. run from the linux dev VM. | |
| OLDIFS=$IFS; IFS=':' certificates=$(openssl s_client -connect mydomain.com:443 -showcerts -tlsextdebug -tls1 2>&1 </dev/null | sed -n '/-----BEGIN/,/-----END/ {/-----BEGIN/ s/^/:/; p}'); for certificate in ${certificates#:}; do echo $certificate | openssl x509 -noout -ocsp_uri; done; IFS=$OLDIFS | |
| # should output something like this: | |
| http://ocsp.comodoca.com | |
| http://ocsp.comodoca.com | |
| http://ocsp.usertrust.com | |
| # firewall needs to allow outbound connect to those locations | |
| ####### Firewall End ####### |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment