ingressu.com

Mastering TLS Certificates: A Comprehensive Practical Guide

Written on

Chapter 1: Understanding TLS Certificates

Transport Layer Security (TLS) is a protocol designed to encrypt data transmitted between machines. It has replaced the older Secure Sockets Layer (SSL) protocol and is the standard encryption method employed by contemporary web browsers. In the initial phase, the client checks the server's TLS certificate through the issuing Certificate Authority (CA). This is followed by a handshake process where the client and server validate the asymmetric key pair (public/private keys) before exchanging symmetric session keys for ongoing encryption and decryption throughout their session.

When you embark on the practical aspects of TLS certificates, it can be daunting to determine the starting point and understand how everything interconnects. This guide will walk you through each essential step from initiation to completion regarding how to request and install TLS certificates, presented in the most straightforward manner possible.

To begin with, ensure you have OpenSSL installed.

Section 1.1: Generate CSR and Private Key

A Certificate Signing Request (CSR) is a block of encoded text submitted to a Certificate Authority when applying for a TLS Certificate. Typically generated on the server where the certificate will be installed, it includes details such as the organization name, common name (domain name), locality, and country, along with the public key for inclusion in the certificate. The private key is created simultaneously with the CSR and serves as a key pair alongside the public key.

This process should always be executed, even if there are no alterations to the CSR file (to maintain the same certificate). This is essential as generating a new private key is a good security measure—similar to users regularly changing their passwords.

Subsection 1.1.1: Create a CSR Configuration File

Config files simplify the regeneration of CSR files whenever necessary. Below is an example of what such a config file might resemble (filename example: myapp.mydomain.com.cnf):

[ req ]

default_bits = 2048

distinguished_name = req_distinguished_name

req_extensions = req_ext

prompt = no

[ req_distinguished_name ]

countryName = NO

stateOrProvinceName = Oslo

localityName = Oslo

organizationName = My Company

organizationalUnitName = Some Unit

commonName = myapp.mydomain.com

[ req_ext ]

subjectAltName = @alt_names

[alt_names]

DNS.1 = myapp.mydomain.com

DNS.2 = myapp-dev.mydomain.com

DNS.3 = myapp-test.mydomain.com

Section 1.2: Setting Up Your Workspace

Open a terminal window and navigate to the directory where you intend to generate the private key and CSR file. This will typically be within a folder of your version control repository designated for certificate-related files.

Section 1.3: Creating a Strong Password for the Private Key

It's crucial to create a robust password for the private key, ideally at least 15 characters long, comprising a mix of lowercase and uppercase letters, numbers, and special characters.

Section 1.4: Generate CSR and Private Key from the Config File

Use the following command to execute the generation:

openssl req -new -newkey rsa:2048 -out myapp.domain.com.csr -keyout myapp.domain.com_encrypted.key -config myapp.domain.com.cnf

The generated private key should not be pushed to version control and should be excluded from the repository (e.g., via gitignore). Store the private key separately from the certificate in a secure location.

Tip: If you encounter a non-encrypted private key, you can encrypt it using this command (you will be prompted to set a password):

openssl rsa -des3 -in myapp.domain.com.key -out myapp.domain.com_encrypted.key

Section 1.5: Verify the Password for the Private Key

To ensure the password you set for the private key is correct, decrypt it using:

openssl rsa -in myapp.domain.com_encrypted.key -out myapp.domain.com.key

Once confirmed, delete the decrypted key file from your machine.

Section 1.6: Viewing CSR as Plain Text

To inspect the CSR in plaintext format, decode it with:

openssl req -in myapp.domain.com.csr -noout -text

Video Resource:

Here’s a helpful video that guides you through the setup of a Homelab Certificate Authority, which can help you eliminate TLS warnings.

Section 1.7: Submitting the CSR to a Certificate Authority

Provide the CSR file to a Certificate Authority to generate and issue your certificate.

Chapter 2: Managing and Renewing Certificates

A Certificate Authority may provide your certificate in various formats. Commonly, they send it as a composite certificate, combining the Server, Intermediate, and Root certificates, or as separate files.

For ease of use, many prefer a single .crt file. To create this, compile the certificates into a new .crt file in the following order: Server, Intermediate, Root.

To verify the contents of the .crt file, execute:

openssl x509 -in myapp.domain.com.crt -text -noout

Review the contents, including the common name and SANs, to ensure they correspond with your CSR file.

Before deployment, decrypt your encrypted private key (see section 1.5).

To check if the certificate aligns with the private key, execute:

openssl x509 -noout -modulus -in myapp.mydomain.com.crt | openssl md5

openssl rsa -noout -modulus -in myapp.mydomain.com.key | openssl md5

If the output for each command begins with “(stdin)=” and the hash values match, your private key is valid for the certificate.

If your server supports deploying both the certificate and the private key in a single bundle, consider using the .pfx format, which combines both into one file. Use the following command:

openssl pkcs12 -export -in myapp.mydomain.com.crt -inkey myapp.mydomain.com.key -out myapp.mydomain.com.pfx

Otherwise, your server will likely require the .crt and .key files to be stored separately in designated locations.

Section 2.1: Deploying the Certificate and Private Key

Follow your server's documentation to deploy the certificate and private key. After deployment, you can verify the certificate with:

openssl s_client -connect <your_server_ip>:443 -showcerts

You can also check your certificate using Entrust SSL Labs.

Video Resource:

For further insights, check out this hands-on video that details securing AWS Load Balancers with SSL/TLS.

Share the page:

Twitter Facebook Reddit LinkIn

-----------------------

Recent Post:

# The Future of Augmented Reality in Gaming and Work

Explore how augmented reality (AR) is reshaping gaming and workplace dynamics through immersive experiences and innovative applications.

Navigating Medium's New AI Policy: A Guide for Writers

Explore Medium's new AI policy and its implications for writers, along with insights and tips for compliance.

# Rethinking Marketing: How Unique Names Can Transform Your Brand

Discover how innovative naming strategies can enhance branding and consumer perception, leading to greater success in marketing.