crypto:certificate:server

Table of Contents

About

This page shows you how to enable SSL for a server (ie service).

This is how you enable HTTPS (HTTP over SSL) for a web server.

What do I need to configure?

In order to enable SSL, you need to add:

a certificate:
and the corresponding private key

You need one pair

by hostname
or by apex domain with a wildcard certificate

Why?

Because when an application (for instance a browser) connects to a server (for instance a web server), it can:

authenticate the server via its certificate (cert-based authentication)
initiate the SSL handshake

This certificate usage is also known as the SSL/TLS Web Server Authentication or server authentication for short.

In the handshake, the client can also authenticate itself to the server if it presents its certificat known as the client certificate but this is optional.

Component

To enable ssl (https) on a server, you need:

A private key
- It's a private entity and should not be shared (only the owner should have access)
- However, it must be readable by the web server process in order to:
  - create and send the public key to the client
  - decrypt the HTTP message encrypted by the client with the help of the public key
- It was used to create the certificate signing request
- The private key may be stored in its own file or alternately in the same file as the certificate
A server domain validated certificate.
- It's a public entity and can be shared
- It should be issued (signed) by a trusted CA
- It is sent to every client that connects to the server in order to verify the server identity
- The size should be at minimum 2048 ¹⁾
- It must present the DNS name of the server in the Subject Alternative Name extension of the certificate. ²⁾
- It must have a validity period of 398 days or fewer ³⁾
- It must have the usage

For test purpose or for internal use you can be your own CA and self signed your certificate

Configuration

Once you got the signed certificate and the private key, you can configure your server:

For HTTP server:

Nginx: Nginx - Https configuration
Apache: Apache - Installation of a Private Key and Certificate (mod_ssl)

For a Net Server, you need to enable SNI if you want to show more than one certificate.

How to see the server certificate in the browser ?

You can see the certificate of the web site in the browser

What happens when the certificate is bad ?

Example (when the certificate is open with portecle)

If you access this website with the above certificate, you got a warning (Example below in firefox)

¹⁾ , ²⁾ , ³⁾

Apple Server Certificates Limits