Skip to content

Instantly share code, notes, and snippets.

@mtigas mtigas/01.md
Last active Apr 16, 2019

Embed
What would you like to do?
HTTPS / SSL certificate config stuff

Normal SSL cert

export DATE=`date +"%Y%m"`
export SITENAME="mike_tig_as"
export KEYNAME="$DATE-$SITENAME"

# Generate private key, make it have no password.
# change to 2048 if you want compatibility with CDNs / aws cloudfront / load balancers, etc
openssl genrsa -aes256 -passout pass:xxxx -out "${KEYNAME}.pass.key" 4096
openssl rsa -passin pass:xxxx -in ${KEYNAME}.pass.key -out ${KEYNAME}.key
rm ${KEYNAME}.pass.key

# alternatively, you can make an ecc key by doing:
#openssl ecparam -genkey -name secp256r1 | openssl ec -out ${KEYNAME}.key
#
# for other curve types:
# openssl ecparam -list_curves
# https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations#Supported_elliptic_curves

# Generate a CSR
openssl req -new -sha256 -key ${KEYNAME}.key -out ${KEYNAME}.csr

# send CSR to CA. for rapidssl you might want to go
# directly to https://www.rapidssl.com/ and use their
# interface since most resellers don't do respect SHA256 flag.
#
# paste cert into ${KEYNAME}.pem

### RAPIDSSL ###
# download intermediate chain
#curl -Lo ${DATE}-intermediates.pem https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem
#cat ${KEYNAME}.pem ${DATE}-intermediates.pem > ${KEYNAME}.withintermediates.pem
###
# GeoTrust
# download the certs given to you in your cert e-mail. ignore "AddTrustExternalCARoot.crt"
# since we don't need to send the root (they're included in a user's browser).
#cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt > ${DATE}-intermediates.pem
#cat ${KEYNAME}.pem ${DATE}-intermediates.pem > ${KEYNAME}.withintermediates.pem

And in your nginx server config, you'd use something like

server {
    listen       443;
    server_name  www.example.com;

    ssl                  on;
    ssl_certificate      /path/to/ssl/201410-www_example_com.withintermediates.pem;
    ssl_certificate_key  /path/to/ssl/201410-www_example_com.key;
    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_session_cache shared:ssl_www_example_com:5m;
    ssl_session_timeout  5m;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:DES-CBC3-SHA;
    #...
    location / {
        #...
    }
    #...
}

CloudFront

Same as Normal, but with 2048 instead of 4096 in the very first key generation step.

The --certificate-chain should be intermediate certs ONLY. Not your cert and not the root cert.

Then, upload to AWS with:

aws iam upload-server-certificate \
  --server-certificate-name ${KEYNAME} \
  --certificate-body file://${PWD}/${KEYNAME}.pem \
  --private-key file://${PWD}/${KEYNAME}.key \
  --certificate-chain file://${PWD}/${DATE}-intermediates.pem \
  --path /cloudfront/${KEYNAME}/

Self-Signed

Same as Normal, but you can use sha512 signatures too, since you probably don't care about IE. And you'll actually generate the full cert.

export DATE=`date +"%Y%m"`
export SITENAME="mike_tig_as"
export KEYNAME="$DATE-$SITENAME"

# Generate private key, make it have no password
openssl genrsa -aes256 -passout pass:x -out "${KEYNAME}.pass.key" 4096
openssl rsa -passin pass:x -in ${KEYNAME}.pass.key -out ${KEYNAME}.key
rm ${KEYNAME}.pass.key

# Generate a CSR
openssl req -new -sha512 -key ${KEYNAME}.key -out ${KEYNAME}.csr

openssl x509 -req -sha512 -days 365 -in "${KEYNAME}.csr" -signkey "${KEYNAME}.key" -out "${KEYNAME}.pem"
#!/bin/bash
################
# generates a self-signed SSL certificate.
# because I always forget how to do this.
################
shopt -s expand_aliases
# If you want to use a different openssl than system. (i.e. using
# Mac OS X Homebrew for a 1.0.1 version rather than system-supplied
# 0.9.8)
#alias openssl="/usr/local/Cellar/openssl/1.0.1e/bin/openssl"
echo "Using"
openssl version
echo
################
echo "Enter a server name or some other nickname to name the key file."
echo "i.e., entering 'www.example.local' will create 'www.example.local.key',"
echo "'www.example.local.csr', and 'www.example.local.crt'."
read SERVERNAME
echo
echo "Enter a size for the RSA key. Recommended values are 2048 and 4096."
echo "Support for values above 4096 is extremely rare as of August 2013. (Only"
echo "Firefox support is confirmed.)"
read KEYSIZE
echo
echo
########################
# generate a RSA key
openssl genrsa -des3 -passout pass:x -out "${SERVERNAME}.pass.key" $KEYSIZE
# re-save the key with no password
openssl rsa -passin pass:x -in "${SERVERNAME}.pass.key" -out "${SERVERNAME}.key"
rm "${SERVERNAME}.pass.key"
# generate a signing request
# make sure you use proper "Country Name" (US or other ISO 3166-1
# two-letter code) and "Common Name" (domain name)
openssl req -new -key "${SERVERNAME}.key" -out "${SERVERNAME}.csr"
# Verify that req has the right info
openssl req -noout -text -in "${SERVERNAME}.csr" | grep "Subject:"
### SELF-SIGNED: ###
openssl x509 -req -days 365 -in "${SERVERNAME}.csr" -signkey "${SERVERNAME}.key" -out "${SERVERNAME}.crt"
### OR SEND CSR TO A SSL CERTIFICATE AUTHORITY ###
# Verify that cert is "OK". You'll get a "depth lookup:self signed certificate" error, but that's fine.
#openssl verify "${SERVERNAME}.crt"
# Verify that modulus matches in all three cases:
#openssl x509 -noout -modulus -in "${SERVERNAME}.crt"
#openssl rsa -noout -modulus -in "${SERVERNAME}.key"
#openssl req -noout -modulus -in "${SERVERNAME}.csr"
rm "${SERVERNAME}.csr"
echo
echo
echo "Key and certificate saved:"
echo "${SERVERNAME}.key"
echo "${SERVERNAME}.crt"
unset SERVERNAME
unset KEYSIZE
unalias openssl
@gruhby

This comment has been minimized.

Copy link

commented Apr 16, 2019

As in your other gist there's no use in first creating an encrypted key (here: using -aes256or -des3) just to remove the encryption in the next step and deleting the encrypted key. So instead of

openssl genrsa -aes256 -passout pass:xxxx -out "${KEYNAME}.pass.key" 4096
openssl rsa -passin pass:xxxx -in ${KEYNAME}.pass.key -out ${KEYNAME}.key
rm ${KEYNAME}.pass.key

you could just use

openssl genrsa -out "${KEYNAME}.key" 4096

and you're done (please correct me, if I understood something completely wrong in usging openssl)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.