summaryrefslogtreecommitdiffstats
path: root/software
diff options
context:
space:
mode:
authorbryan newbold <bnewbold@twinleaf.com>2014-06-20 00:44:17 -0400
committerbryan newbold <bnewbold@twinleaf.com>2014-06-20 00:44:17 -0400
commitaa6e3019c19728fc41cf3b27729ce0d91dde94bb (patch)
treeee23abbf7378984f1de77d3b35adf4459a83f33c /software
parente9dbac33e457ad6ead3fc5f9a4e97dac38ddc96b (diff)
parenta78f7f6752f75659d4e3ff3657eb2f4db08c9ecc (diff)
downloadknowledge-aa6e3019c19728fc41cf3b27729ce0d91dde94bb.tar.gz
knowledge-aa6e3019c19728fc41cf3b27729ce0d91dde94bb.zip
Merge branch 'master' of adelie:/srv/git/knowledge
Diffstat (limited to 'software')
-rw-r--r--software/ssl.page112
1 files changed, 112 insertions, 0 deletions
diff --git a/software/ssl.page b/software/ssl.page
new file mode 100644
index 0000000..fc8d0cb
--- /dev/null
+++ b/software/ssl.page
@@ -0,0 +1,112 @@
+
+SSL Notes
+=============
+
+You can generate stong random strings with, eg: openssl rand -base64 24
+
+Warning: as context, you generally need to go through an identity verification
+procedure before being issued SSL certificates other than the most trivial
+single-virtual-host kind. This process can take weeks, so start early!
+
+Warning: the whole crypto thing is obviously pedantic and way more of a pain in
+the ass than needs to be.
+
+Note: read this entire file before starting. In particular see the listing of
+host names towards the bottom, which should be kept up to date.
+
+### HOWTO: Get a new certificate and have it signed by StartSSL
+
+Following the union of directions (dated Nov 16, 2009) at both:
+https://library.linode.com/security/ssl-certificates/subject-alternate-names
+https://library.linode.com/security/ssl-certificates/commercial
+
+Run this (mostly) on the remote machine.
+
+NB: it may or may not be necessary to do much of this because StartSSL will
+re-generate most fields? Ugh.
+
+NB: if you are replacing an existing cert you need to revoke the old one first.
+This costs $25. "deal with it".
+
+Create, eg, /etc/ssl/localcerts/server_20140429.cnf, copying from
+/usr/lib/ssl/openssl.cnf. In that file, set the following at the top:
+
+ SAN="email:webmaster@example.com"
+
+and after the '[ v3_ca ]' line add:
+
+ subjectAltName=${ENV::SAN}
+
+On the command line (edit these for the specific cert):
+
+ export SAN="DNS:example.com, DNS:www.example.com, DNS:mail.example.com, DNS:static.example.com, DNS:git.example.com, DNS:docs.example.com"
+ openssl req -new -newkey rsa:4096 -sha256 -days 729 -nodes -config /etc/ssl/localcerts/server_20140429.cnf -keyout /etc/ssl/localcerts/server_20140429.key -out /etc/ssl/localcerts/server_20140429.csr
+
+fill in options *exactly* like on your startcom profile:
+
+ Country: US
+ State: Massachusetts
+ Locality: Cambridge
+ Organization Name: <your name>
+ Organization Unit: <blank>
+ Common Name: <FQDN, eg server.example.com>
+ Email: webmaster@example.com
+ Challenge password: <random string that you write down>
+ Company name: <blank>
+
+When done, remove most permissions on all the resulting files:
+
+ chmod 400 *
+
+Ok, now snarf down the resulting .csr to your local machine (it's short, just
+'cat' it).
+
+On the StartSSL website, figure out how to use the toolbox and validations and
+all that jazz (come back in an hour), then once all that is configured start a
+certificate generation process. You get, eg, "example.com" automatically, even
+though this isn't indicated anywhere. The user inteface sucks, "deal with it".
+Save the resulting .crt to, eg, /etc/ssl/localcerts/server_20140429.crt. chmod
+it 400, root:root.
+
+We need to create a "combined" certificate. Fetch the startssl intermediate and
+CA certs (WARNING: over https!), and combine a la:
+
+ wget https://startssl.com/certs/sub.class2.server.ca.pem
+ wget https://www.startssl.com/certs/ca.pem
+ mv ca.pem startssl_ca.pem
+ cat server_20140429.crt >> server_20140429.combined.crt
+ cat sub.class2.server.ca.pem >> server_20140429.combined.crt
+ cat startssl_ca.pem >> server_20140429.combined.crt
+
+Now copy the .key to /etc/ssl/private, give it group "ssl-cert", and give it
+chmod 440. Put the .combined.crt and .crt (for, eg, postfix) in /etc/ssl/certs
+and chmod it 444 (no group change).
+
+Now edit nginx, prosody, postfix, dovecot, etc config and reboot and check logs
+and test everything to use the new keys. Whew!
+
+Before you celebrate, add a calendar entry for N days before the expiration of
+the certificates you just created, so you have plenty of time to replace them
+before they expire.
+
+### example infrastructure needs
+
+server:
+ example.com
+ www.example.com
+ mail.example.com
+ static.example.com
+ git.example.com
+ docs.example.com
+
+### References
+
+https://library.linode.com/security/ssl-certificates
+https://www.ssllabs.com/ssltest/
+https://www.ssllabs.com/projects/best-practices/
+
+### StartCom Alternatives
+
+gandi.net: used by debian.org
+ https://www.gandi.net/ssl/grid
+ http://wiki.gandi.net/en/ssl/regenerate