Nowadays it is common to have your website encrypted, and then it is neccessary to applying a SSL Certificate for your site. Here is the general procedure to applying and install a SSL Certificate.


目录

  1. A. Apply A SSL Certificate
    1. A.0 Prerequisites
    2. A.1 Generate the RSA key
    3. A.2 Create a CSR
    4. A.3 Verify your CSR
    5. A.4 Submit Your CSR
  2. B. Install your SSL Certificate
    1. B.1 Nginx
    2. B.2 Apache

A. Apply A SSL Certificate

A.0 Prerequisites

First of all, you need to have openssl installed on your system. You can easily install it via package manager like apt on ubuntu or yum on centos if not installed.

1
2
3
4
### ubunt or debian
sudo apt install openssl openssl-dev
### fedora or centos
sudo yum install openssl openssl-devel

A.1 Generate the RSA key

1
2
mkdir tmp && cd tmp
openssl genrsa -des3 -out domain.tld.key 4096

A.2 Create a CSR

1
openssl req -new -sha256 -key domain.tld.key -out domain.tld.csr

You need to provide the following information:

  • Common Name: www.domain.tld for single domain and *.domain.tld for a wildcard certificate
  • Organization: The exact legal name of your company or organization. domain.tld will be fine
  • City or Locality: the city where you are
  • State or Province: the state or province you stay in.
  • Contry: the two-letter ISO abbreviation for your country.

In the end before generating your csr, you will be ask to enter the challenge password, leaving it blank by just pressing enter.

A.3 Verify your CSR

Before submitting your CSR to your ssl certificate provider, you might have to verify your CSR just in case any error accuring.

1
openssl req -noout -text -in domain.tld.csr

A.4 Submit Your CSR

If no error when verifying the CSR, you can now submit it to your certificate authority. You should have the admin@domain.tld mail address accessible to receive the approval email.

B. Install your SSL Certificate

After get your SSL Certificate, you can then deploy it on your web server.

You might need to decrypt your private key for following installation:

1
openssl rsa -in domain.tld.key -out domain.tld.decrypted.key

In the following, you need your decrypted privated key, and you should keep it away from others.

B.1 Nginx

ssl config for nginx
1
2
3
4
5
6
7
8
9
10
11
12
server_tokens off;
## ssl config
ssl_certificate /path/to/your/certificate;
ssl_certificate_key /path/to/your/certificate/key;

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

ssl_protocols TLSv1.2;
ssl_prefer_server ciphers on;

ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCMEECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+RC4 EECDH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !ERP !DSS !DH !EDH";

And add the following to your server block after listen 80;:

ssl config for server block
1
2
listen 443 ssl http2;
listen [::]:443 ssl http2;

B.2 Apache