Create a gist now

Instantly share code, notes, and snippets.

@mtigas /01.md
Last active Mar 12, 2016

What would you like to do?
HTTPS / SSL certificate config stuff

Normal SSL cert

export DATE=`date +"%Y%m"`
export SITENAME="mike_tig_as"
export KEYNAME="$DATE-$SITENAME"

# Generate private key, make it have no password
openssl genrsa -aes256 -passout pass:x -out "${KEYNAME}.pass.key" 4096
openssl rsa -passin pass:x -in ${KEYNAME}.pass.key -out ${KEYNAME}.key
rm ${KEYNAME}.pass.key

# Generate a CSR
openssl req -new -sha256 -key ${KEYNAME}.key -out ${KEYNAME}.csr

# send CSR to CA. for rapidssl you might want to go
# directly to https://www.rapidssl.com/ and use their
# interface since most resellers don't do respect SHA256 flag.
#
# paste cert into ${KEYNAME}.pem

### RAPIDSSL ###
# download intermediate chain
#curl -Lo ${DATE}-intermediates.pem https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem
#cat ${KEYNAME}.pem ${DATE}-intermediates.pem > ${KEYNAME}.withintermediates.pem
###
# GeoTrust
# download the certs given to you in your cert e-mail. ignore "AddTrustExternalCARoot.crt"
# since we don't need to send the root (they're included in a user's browser).
#cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt > ${DATE}-intermediates.pem
#cat ${KEYNAME}.pem ${DATE}-intermediates.pem > ${KEYNAME}.withintermediates.pem

And in your nginx server config, you'd use something like

server {
    listen       443;
    server_name  www.example.com;

    ssl                  on;
    ssl_certificate      /path/to/ssl/201410-www_example_com.withintermediates.pem;
    ssl_certificate_key  /path/to/ssl/201410-www_example_com.key;
    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_session_cache shared:ssl_www_example_com:5m;
    ssl_session_timeout  5m;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:DES-CBC3-SHA;
    #...
    location / {
        #...
    }
    #...
}

CloudFront

Same as Normal, but with 2048 instead of 4096 in the very first key generation step.

The --certificate-chain should be intermediate certs ONLY. Not your cert and not the root cert.

Then, upload to AWS with:

aws iam upload-server-certificate \
  --server-certificate-name ${KEYNAME} \
  --certificate-body file://${PWD}/${KEYNAME}.pem \
  --private-key file://${PWD}/${KEYNAME}.key \
  --certificate-chain file://${PWD}/${DATE}-intermediates.pem \
  --path /cloudfront/${KEYNAME}/

Self-Signed

Same as Normal, but you can use sha512 signatures too, since you probably don't care about IE. And you'll actually generate the full cert.

export DATE=`date +"%Y%m"`
export SITENAME="mike_tig_as"
export KEYNAME="$DATE-$SITENAME"

# Generate private key, make it have no password
openssl genrsa -aes256 -passout pass:x -out "${KEYNAME}.pass.key" 4096
openssl rsa -passin pass:x -in ${KEYNAME}.pass.key -out ${KEYNAME}.key
rm ${KEYNAME}.pass.key

# Generate a CSR
openssl req -new -sha512 -key ${KEYNAME}.key -out ${KEYNAME}.csr

openssl x509 -req -sha512 -days 365 -in "${KEYNAME}.csr" -signkey "${KEYNAME}.key" -out "${KEYNAME}.pem"
#!/bin/bash
################
# generates a self-signed SSL certificate.
# because I always forget how to do this.
################
shopt -s expand_aliases
# If you want to use a different openssl than system. (i.e. using
# Mac OS X Homebrew for a 1.0.1 version rather than system-supplied
# 0.9.8)
#alias openssl="/usr/local/Cellar/openssl/1.0.1e/bin/openssl"
echo "Using"
openssl version
echo
################
echo "Enter a server name or some other nickname to name the key file."
echo "i.e., entering 'www.example.local' will create 'www.example.local.key',"
echo "'www.example.local.csr', and 'www.example.local.crt'."
read SERVERNAME
echo
echo "Enter a size for the RSA key. Recommended values are 2048 and 4096."
echo "Support for values above 4096 is extremely rare as of August 2013. (Only"
echo "Firefox support is confirmed.)"
read KEYSIZE
echo
echo
########################
# generate a RSA key
openssl genrsa -des3 -passout pass:x -out "${SERVERNAME}.pass.key" $KEYSIZE
# re-save the key with no password
openssl rsa -passin pass:x -in "${SERVERNAME}.pass.key" -out "${SERVERNAME}.key"
rm "${SERVERNAME}.pass.key"
# generate a signing request
# make sure you use proper "Country Name" (US or other ISO 3166-1
# two-letter code) and "Common Name" (domain name)
openssl req -new -key "${SERVERNAME}.key" -out "${SERVERNAME}.csr"
# Verify that req has the right info
openssl req -noout -text -in "${SERVERNAME}.csr" | grep "Subject:"
### SELF-SIGNED: ###
openssl x509 -req -days 365 -in "${SERVERNAME}.csr" -signkey "${SERVERNAME}.key" -out "${SERVERNAME}.crt"
### OR SEND CSR TO A SSL CERTIFICATE AUTHORITY ###
# Verify that cert is "OK". You'll get a "depth lookup:self signed certificate" error, but that's fine.
#openssl verify "${SERVERNAME}.crt"
# Verify that modulus matches in all three cases:
#openssl x509 -noout -modulus -in "${SERVERNAME}.crt"
#openssl rsa -noout -modulus -in "${SERVERNAME}.key"
#openssl req -noout -modulus -in "${SERVERNAME}.csr"
rm "${SERVERNAME}.csr"
echo
echo
echo "Key and certificate saved:"
echo "${SERVERNAME}.key"
echo "${SERVERNAME}.crt"
unset SERVERNAME
unset KEYSIZE
unalias openssl
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment