Skip to content

Instantly share code, notes, and snippets.

@peteristhegreat
Created June 4, 2026 18:34
Show Gist options
  • Select an option

  • Save peteristhegreat/081e6da0974d53c44942a82ecaf346f9 to your computer and use it in GitHub Desktop.

Select an option

Save peteristhegreat/081e6da0974d53c44942a82ecaf346f9 to your computer and use it in GitHub Desktop.
Certificates, SSL, TLS

Certificates

Verisign, Digicert, someone says that this site is legit. You get a little lock icon and now your bank or shopping cart interaction is more secure.

Installing Certificates

Self-Signing v using a Certificate Authority and a root certificate and a chain...

If I say my computer is sending what it is sending and that it is legit, but you don't trust me, then who can you trust? Why not a big corporation? And you pay the corporation to say you are who you say you are, and you are done, right?

Well, if you haven't paid in a while, maybe you changed who you are or where you are or why you are doing business, so let's require a refresh every couple of years or months.

TTL, Time to Live, how long is the cert valid, expirations

So you set it up for a 5 year certificate, and a wild card on sub domains and you are all set, right? Nope, you have to do a back and forth with the Certificate Authority to let them stamp your fancy certificate saying they say your certificate is legit.

In real life, this means running a script on your machine that is going to be hosting the website, and handing the signed cert file to the certificate authority (ca) via email or throught their website or api for them to mark your certificate as valid with their stamp that only they can generate. Then when you get it back you install it on your server.

But wait, was that your server? How can they tell?

Domain Verification

Prove it was your server hosting example.com.

If you really are the admin for that page, just post a DNS entry on it or some random file no one will look for. Now the certificate authority can look for it and prove that you are the person holding the keys/access to edit files on the server.

Installed on your server

You configured Apache, or Nginx, or the Load Balancer or someone to show that you are who you said you are so that when you send data over the internet they can see a little icon proving that you are a taxable entity with a bank account behind you.

But wait, the TTL has expired, and you need to refresh it!?!

Doh!

Let's Encrypt, HTTPS Everywhere

Some guy named Edward Snowden revealed that the US government was watching everything, and anything that wasn't encrypted was getting scraped and logged, etc.

Not too long afterwards people pushed for more sites to be encrypted and Let's Encrypt came out of a Foundation somewhere.

https://en.wikipedia.org/wiki/Let%27s_Encrypt

Now instead of paying for a certificate, you just have to set up a script to interact with Let's Encrypt. If you can figure out certbot you are all set.

Vercel, Netlify, Heroku, AzureApps, and other Framework Businesses

Hosting a react based app has gotten pretty easy and companies like vercel make the experience so easy and simple and the cert is built in to the hosting. You give them your github repo and they just do the rest. It's kind of magical.

A number of other one click deployments from the last couple of years have done this, too.

AWS Load Balancer

This one can do so much and works well with Route53 and the rest of the AWS ecosystem, but last I checked it came out ot be about 15$ per month to run it with the baked in certificate. Ooof.

RPi + Docker + Nginx + Let's Encrypt

Turn on a webserver in your basement, port forward through your router, fix the dynamic ip address forwarding issue with your DNS you purchased, and now if you get certbot running correctly, you can have https forever on your toy system at home! Not for the faint of heart, but can be pretty neat when it all comes together. Kind of like a micro homelab.

https://github.com/peteristhegreat/flask-docker-nginx-certbot

Self-signed Certificates with Warnings, MITM attacks

Just host a self-signed cert and don't worry about it. What's the worst that could happen? Well, maybe if your site got popular someone could impersonate your traffic or your responses or modify what you are sending in flight.

PQ, Post-Quantum Computing resilient certificates

This is pretty new in the last few months. Let's Encrypt did a blog post about it.

Login API, Payment API

If you don't have https... these guys will complain all day long. Get https so they work.

DLL's, EXE's, MSI's

What about a program I downloaded from the internet? Is it legit? If it was a virus is there a company behind it I can sue?

Very similar in nature to TLS/SSL certificates, the same idea can be extended to any sort of exe downloaded for Windows or Mac or any app on the app store for your mobile platform.

Pay a company to verify that your self signed certificate matches up to your company's billing address. Now you can publish without getting the "Smart Screen" warnings as frequently.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment