Checking the Certificate
There are some commands you can run to check if the certificate is valid from the command line. You want to do this before installing a certificate to ensure the certificate matches the key.
Use these command to test the SSL using the site’s URL:
openssl s_client -connect example.com:443
curl -I https://example.com
Uses these commands to confirm the key and certificate match (If the output matches, the key and cert match):
openssl x509 -in /etc/pki/tls/certs/example.com.crt -noout -modulus | openssl md5
openssl rsa -in /etc/pki/tls/private/example.com.key -noout -modulus | openssl md5
You can also take a PKCS 7 certificate and ouput the x509 certs:
openssl pkcs7 -in /etc/pki/tls/certs/YEAR-example.com.pkcs -print_certs -out /etc/pki/tls/certs/YEAR-example.
com.crt
This will output a file with the CA certs and the cert together. The first one in the file should be the individual cert, and the rest should be the CA cert. Separate them and configure them as above
Install Key and Cert
1.Copy the cert to /etc/pki/tls/certs and the key to /etc/pki/tls/private respectively
a.Use the format and domain-YYYY-MM-DD.key domain-YYYY-MM-DD.crt
2.Symlink domain.key to domain-YYYY-MM-DD.key
a. ln -s domain-YYYY-MM-DD.key domain.key
3.Symlink domain.crt to domain-YYYY-MM-DD.crt
a.ln -s domain-YYYY-MM-DD.crt domain.crt
Permissions
Verify the permissions on /etc/pki/tls/private is 755 and key files are 600, owned by root:root
- # chown -R root:root /etc/pki/tls/private
- # chmod 755 /etc/pki/tls/private
- # chmod 600 /etc/pki/tls/private/*.key
Verify the permissions on /etc/pki/tls/certs is 755 and cert files are 600, owned by root:root
- # chown -R root:root /etc/pki/tls/certs
- # chmod 755 /etc/pki/tls/certs
- # chmod 600 /etc/pki/tls/certs/*.crt
Application Configuration
Apache
Modify the Apache configuration to point to the symlinks
…
<VirtualHost _default_:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/domain.crt
SSLCertificateKeyFile /etc/pki/tls/private/domain.key
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
</VirtualHost>
…
nginx
server {
listen 443 ssl;
# SSL configuration
# There is no config option for CA bundles. Append both files into a .pem file.
# On command line run: cp -a /etc/pki/tls/certs/domain.crt /etc/pki/tls/certs/domain.pem
# The run: cat /etc/pki/tls/certs/ca-bundle.crt >> /etc/pki/tls/certs/domain.pem
ssl on;
ssl_certificate /etc/pki/tls/certs/domain.pem;
ssl_certificate_key /etc/pki/tls/private/domain.key;
}
Tomcat
Not officially supported, we can provide the public key and private key in a ticket and have the customer configure. You may want to check AMGs to see if the customer is supported by Critical Sites (CAS team).
SSL Security Ciphers
Recommendations for Security Ciphers for PCI compliance, should come with a disclaimer that the general linux support floor is not security company and that you should consult with our security team for best practices. At the time of this writing I believe this team is still getting spun up internally, so Account Managers and BDCs might have more information on this. With that said I found one of our partners CloudFlare has some excellent recommendations on SSL Ciphers. I’m providing links instead of documenting here, because CloudFlare commonly updates their github with the newest recommendations whereas this wiki can get out of date:
https://github.com/cloudflare/sslconfig
https://support.cloudflare.com/hc/en-us/articles/200933580-What-cipher-suites-does-CloudFlare-use-for-SSL
References
- Tech Support Linux Update SSL Cert
- SSL Certificate Installation Help
- Legacy SSL Training
- SSL Support
- Nginx SSL configuration