export DATE=`date +"%Y%m"`
export SITENAME="mike_tig_as"
export KEYNAME="$DATE-$SITENAME"
# Generate private key, make it have no password.
# change to 2048 if you want compatibility with CDNs / aws cloudfront / load balancers, etc
openssl genrsa -aes256 -passout pass:xxxx -out "${KEYNAME}.pass.key" 4096
openssl rsa -passin pass:xxxx -in ${KEYNAME}.pass.key -out ${KEYNAME}.key
rm ${KEYNAME}.pass.key
# alternatively, you can make an ecc key by doing:
#openssl ecparam -genkey -name secp256r1 | openssl ec -out ${KEYNAME}.key
#
# for other curve types:
# openssl ecparam -list_curves
# https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations#Supported_elliptic_curves
# Generate a CSR
openssl req -new -sha256 -key ${KEYNAME}.key -out ${KEYNAME}.csr
# send CSR to CA. for rapidssl you might want to go
# directly to https://www.rapidssl.com/ and use their
# interface since most resellers don't do respect SHA256 flag.
#
# paste cert into ${KEYNAME}.pem
### RAPIDSSL ###
# download intermediate chain
#curl -Lo ${DATE}-intermediates.pem https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem
#cat ${KEYNAME}.pem ${DATE}-intermediates.pem > ${KEYNAME}.withintermediates.pem
###
# GeoTrust
# download the certs given to you in your cert e-mail. ignore "AddTrustExternalCARoot.crt"
# since we don't need to send the root (they're included in a user's browser).
#cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt > ${DATE}-intermediates.pem
#cat ${KEYNAME}.pem ${DATE}-intermediates.pem > ${KEYNAME}.withintermediates.pem
And in your nginx server config, you'd use something like
server {
listen 443;
server_name www.example.com;
ssl on;
ssl_certificate /path/to/ssl/201410-www_example_com.withintermediates.pem;
ssl_certificate_key /path/to/ssl/201410-www_example_com.key;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_session_cache shared:ssl_www_example_com:5m;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:DES-CBC3-SHA;
#...
location / {
#...
}
#...
}
Same as Normal, but with 2048
instead of 4096
in the very first
key generation step.
The --certificate-chain
should be intermediate certs ONLY. Not your cert
and not the root cert.
Then, upload to AWS with:
aws iam upload-server-certificate \
--server-certificate-name ${KEYNAME} \
--certificate-body file://${PWD}/${KEYNAME}.pem \
--private-key file://${PWD}/${KEYNAME}.key \
--certificate-chain file://${PWD}/${DATE}-intermediates.pem \
--path /cloudfront/${KEYNAME}/
Same as Normal, but you can use sha512
signatures too, since you
probably don't care about IE. And you'll actually generate the full cert.
export DATE=`date +"%Y%m"`
export SITENAME="mike_tig_as"
export KEYNAME="$DATE-$SITENAME"
# Generate private key, make it have no password
openssl genrsa -aes256 -passout pass:x -out "${KEYNAME}.pass.key" 4096
openssl rsa -passin pass:x -in ${KEYNAME}.pass.key -out ${KEYNAME}.key
rm ${KEYNAME}.pass.key
# Generate a CSR
openssl req -new -sha512 -key ${KEYNAME}.key -out ${KEYNAME}.csr
openssl x509 -req -sha512 -days 365 -in "${KEYNAME}.csr" -signkey "${KEYNAME}.key" -out "${KEYNAME}.pem"
As in your other gist there's no use in first creating an encrypted key (here: using
-aes256
or-des3
) just to remove the encryption in the next step and deleting the encrypted key. So instead ofyou could just use
and you're done (please correct me, if I understood something completely wrong in usging openssl)