Close

Intro to SSL

Really good guide:

https://jamielinux.com/docs/openssl-certificate-authority/index-full.html

Even better guide:

http://www.zytrax.com/tech/survival/ssl.html#single-cert

How To Install Self-Signed SSL Certificate On Nginx In CenOS 7

 

https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs

The following will create a file called myblog.key

$ openssl genrsa -des3 -out /etc/nginx/ssl/myblog.key 2048

 

This file is required to generate a csr file. Next we create the csr file:

$  openssl req -new -key /etc/nginx/ssl/myblog.key  -out myblog.csr

 

http://operational.io/openssl-commonly-used-commands/

 

http://en.wikipedia.org/wiki/Alice_and_Bob

https://www.google.co.uk/search?q=alice+and+bob+ssl&ie=utf-8&oe=utf-8&gws_rd=cr&ei=i6xyVeKwB-aa7gaXs4PAAg

If you have a website, e.g. your own wordpress blog and you want to set up ssl on it so that your url starts with https://... then you need to understand what is ssl is how it works.

 

There are 3 main types of files when it comes to learning about ssl:

  • .csr file
  • .pem file
  • .crt

You can use the openssl command to create a ".csr" file. when creating the csr file you will get prompted to provide your name, address, email address....etc, but most importantly your website's url. The openssl command will then generate the ".csr" file.   "This file is essentially a request for a certificate" file.

You can then send this .csr file to a list of trusted private corprate companies. These group of comanies are often referred to as "Certificate Authorities", aka "CA".   You can view a list of private companies them from inside firefox:

CA-list

These companies have a file called a ".pem" file. this file is a highly secret and is tightly guarded. No one outside the company is allowed to have access of it, otherwise, it is a major security breach that will make it on national news.

Now we submit our csr file to a CA (any ca listed above will do)   and make a payment to them which can range from a few pounds to millions of pounds, depending on the CA and the level of protection you want. The CA will then use your csr along with it's internal pem file to generate a crt file. This "crt" file is then given back to you, and you place it on your website's server. You can refer to these as "server side crt files"

Your browser comes with included a list of crt files, from the above CA's. These crt files reside internally in the browser. You can think of these crt files as "ca certs".

 

Now when your browser connects to your website using a "https" links, then the server will initially forward the server-side-crt file to the browser (laptop). The laptop will then feed that file along with the corresponding ca-cert file into a special highly complex algorithigm. If the result is a green light then the connection is established.

 

On some websites, the server-side-crt file is not created by a CA that is listed in your browsers trusted CA list. In that case you will get the "confirm security exception" prompt.

 

 

 

 

 

https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-nginx-for-centos-6

http://www.cyberciti.biz/faq/linux-unix-nginx-redirect-all-http-to-https/
https://www.digitalocean.com/community/questions/how-do-i-rewrite-url-s-in-nginx-server-block (this one is better, I think.)

http://www.cyberciti.biz/faq/nginx-self-signed-certificate-tutorial-on-centos-redhat-linux/ (this might also be useful but never tried it)

https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs (this looks really useful)
here are the 2 files you need to edit

$ ls -l /etc/nginx/conf.d/ | grep -E 'default.conf$|ssl.conf$'
-rw-r--r-- 1 root root 1727 Jun  5 10:48 default.conf
-rw-r--r-- 1 root root  635 Jun  5 10:33 ssl.conf

 

Useful links:

http://prefetch.net/articles/checkcertificate.html  (this script is really useful to check if cert has expired)