Skip to content

Instantly share code, notes, and snippets.

@LolWalid

LolWalid/ssl_certificate.md

Created March 15, 2018 11:47
Show Gist options
  • Save LolWalid/0eb26dd5181610fc827378439b0ffd5d to your computer and use it in GitHub Desktop.
Save LolWalid/0eb26dd5181610fc827378439b0ffd5d to your computer and use it in GitHub Desktop.
Download ZIP
SSL Certificate With Gandi
Raw
ssl_certificate.md

SSL Certificate With Gandi

Generate Signing Certicate Request

With current private key (preferred for Certificate Pinning):

$ openssl req -new -key example.com.key > example.com.csr 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:France
Locality Name (eg, city) []:Paris
Organization Name (eg, company) [Internet Widgits Pty Ltd]:example
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:*.example.com
Email Address []:[email protected]  

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

With new private key:

$ openssl req -nodes -newkey rsa:2048 -sha256 -keyout example.com.key -out example.com.csr
Generating a 2048 bit RSA private key
.......................................................................................................................................................+++
..........................................................+++
writing new private key to 'myserver.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:France
Locality Name (eg, city) []:Paris
Organization Name (eg, company) [Internet Widgits Pty Ltd]:example
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:*.example.com
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Provide your CSR to Gandi.net

Download the primary certifcate and the intermediate certificate

You now have 4 files:

example.com.key
example.com.csr
example.com.crt        #primary certifcate
GandiStandardSSLCA2.pem   #intermediate certificate

Setup SSL

In order to have A+ (via https://www.ssllabs.com/ssltest):

mv example.com.crt example.com.crt.original
cat GandiStandardSSLCA2.pem >> example.com.crt 
openssl dhparam -out dhparam.pem 4096

Copy necessary files to the server

# Nginx.conf
ssl_prefer_server_ciphers on; #Grade A
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; #Grade A
ssl_session_cache shared:SSL:10m; #Grade A
ssl_dhparam /etc/ssl/gandi/dhparam.pem; #Grade A
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; #Grade A

ssl_certificate      /etc/ssl/gandi/example.com.crt;
ssl_certificate_key  /etc/ssl/gandi/example.com.key;

Download the certificate openssl s_client -showcerts -connect <HOST>:443 < /dev/null | openssl x509 -outform DER > example.com.der

https://infinum.co/the-capsized-eight/ssl-pinning-revisited

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment