Mastering TLS Certificates: A Comprehensive Practical Guide
Written on
Chapter 1: Understanding TLS Certificates
Transport Layer Security (TLS) is a protocol designed to encrypt data transmitted between machines. It has replaced the older Secure Sockets Layer (SSL) protocol and is the standard encryption method employed by contemporary web browsers. In the initial phase, the client checks the server's TLS certificate through the issuing Certificate Authority (CA). This is followed by a handshake process where the client and server validate the asymmetric key pair (public/private keys) before exchanging symmetric session keys for ongoing encryption and decryption throughout their session.
When you embark on the practical aspects of TLS certificates, it can be daunting to determine the starting point and understand how everything interconnects. This guide will walk you through each essential step from initiation to completion regarding how to request and install TLS certificates, presented in the most straightforward manner possible.
To begin with, ensure you have OpenSSL installed.
Section 1.1: Generate CSR and Private Key
A Certificate Signing Request (CSR) is a block of encoded text submitted to a Certificate Authority when applying for a TLS Certificate. Typically generated on the server where the certificate will be installed, it includes details such as the organization name, common name (domain name), locality, and country, along with the public key for inclusion in the certificate. The private key is created simultaneously with the CSR and serves as a key pair alongside the public key.
This process should always be executed, even if there are no alterations to the CSR file (to maintain the same certificate). This is essential as generating a new private key is a good security measure—similar to users regularly changing their passwords.
Subsection 1.1.1: Create a CSR Configuration File
Config files simplify the regeneration of CSR files whenever necessary. Below is an example of what such a config file might resemble (filename example: myapp.mydomain.com.cnf):
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
countryName = NO
stateOrProvinceName = Oslo
localityName = Oslo
organizationName = My Company
organizationalUnitName = Some Unit
commonName = myapp.mydomain.com
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = myapp.mydomain.com
DNS.2 = myapp-dev.mydomain.com
DNS.3 = myapp-test.mydomain.com
Section 1.2: Setting Up Your Workspace
Open a terminal window and navigate to the directory where you intend to generate the private key and CSR file. This will typically be within a folder of your version control repository designated for certificate-related files.
Section 1.3: Creating a Strong Password for the Private Key
It's crucial to create a robust password for the private key, ideally at least 15 characters long, comprising a mix of lowercase and uppercase letters, numbers, and special characters.
Section 1.4: Generate CSR and Private Key from the Config File
Use the following command to execute the generation:
openssl req -new -newkey rsa:2048 -out myapp.domain.com.csr -keyout myapp.domain.com_encrypted.key -config myapp.domain.com.cnf
The generated private key should not be pushed to version control and should be excluded from the repository (e.g., via gitignore). Store the private key separately from the certificate in a secure location.
Tip: If you encounter a non-encrypted private key, you can encrypt it using this command (you will be prompted to set a password):
openssl rsa -des3 -in myapp.domain.com.key -out myapp.domain.com_encrypted.key
Section 1.5: Verify the Password for the Private Key
To ensure the password you set for the private key is correct, decrypt it using:
openssl rsa -in myapp.domain.com_encrypted.key -out myapp.domain.com.key
Once confirmed, delete the decrypted key file from your machine.
Section 1.6: Viewing CSR as Plain Text
To inspect the CSR in plaintext format, decode it with:
openssl req -in myapp.domain.com.csr -noout -text
Video Resource:
Here’s a helpful video that guides you through the setup of a Homelab Certificate Authority, which can help you eliminate TLS warnings.
Section 1.7: Submitting the CSR to a Certificate Authority
Provide the CSR file to a Certificate Authority to generate and issue your certificate.
Chapter 2: Managing and Renewing Certificates
A Certificate Authority may provide your certificate in various formats. Commonly, they send it as a composite certificate, combining the Server, Intermediate, and Root certificates, or as separate files.
For ease of use, many prefer a single .crt file. To create this, compile the certificates into a new .crt file in the following order: Server, Intermediate, Root.
To verify the contents of the .crt file, execute:
openssl x509 -in myapp.domain.com.crt -text -noout
Review the contents, including the common name and SANs, to ensure they correspond with your CSR file.
Before deployment, decrypt your encrypted private key (see section 1.5).
To check if the certificate aligns with the private key, execute:
openssl x509 -noout -modulus -in myapp.mydomain.com.crt | openssl md5
openssl rsa -noout -modulus -in myapp.mydomain.com.key | openssl md5
If the output for each command begins with “(stdin)=” and the hash values match, your private key is valid for the certificate.
If your server supports deploying both the certificate and the private key in a single bundle, consider using the .pfx format, which combines both into one file. Use the following command:
openssl pkcs12 -export -in myapp.mydomain.com.crt -inkey myapp.mydomain.com.key -out myapp.mydomain.com.pfx
Otherwise, your server will likely require the .crt and .key files to be stored separately in designated locations.
Section 2.1: Deploying the Certificate and Private Key
Follow your server's documentation to deploy the certificate and private key. After deployment, you can verify the certificate with:
openssl s_client -connect <your_server_ip>:443 -showcerts
You can also check your certificate using Entrust SSL Labs.
Video Resource:
For further insights, check out this hands-on video that details securing AWS Load Balancers with SSL/TLS.