SSL Setup

Contents

Lighttpd setup
Packaging
Setup on svasey.org
- How to install the certificates
- Fingerprints
  - Root certificate
  - svasey.org certificate

This page documents the SSL setup on svasey.org. If you want information on how to use openssl, see SSL Management

Lighttpd setup

First, generate a pem file with the key and the certificate:

cat example_com.cer example_com.key > example_com.pem

I put the pem file along with the certificate in /etc/lighttpd/certs. The configuration file reads:

$SERVER["socket"] == ":443" {
  ssl.engine = "enable"
  ssl.pemfile = "/etc/lighttpd/certs/example_com.pem"
  ssl.ca-file = "/etc/lighttpd/certs/example_com.crt"
}

For more documentation, see lighttpd's ssl page

Packaging

The public part of the certificates is packaged in a http-certs package. The package installs so that the certificates are published at certs.svasey.org. certs.svasey.org also contain other crypto-related material, like my GPG key.

Fake certificates are installed along with the http-config package; the real certificates need to be copied manually

Setup on svasey.org

If you try http://secure.svasey.org or any of the subdomains, you will automatically be 301-redirected to https. The test.secure.svasey.org domain can be used for testing.

The use of https on the other domains is possible, but not enabled by default (i.e you will have to manually type in https, which is the proper thing to do anyway).

Note that the certificate I use is only valid for any direct subdomain of svasey.org (but no sub-subdomain, i.e test.test.svasey.org will not validate) and for any direct subdomain of secure.svasey.org, i.e test.secure.svasey.org will validate but not test.test.secure.svasey.org). This implies that all of my http-served domains should fulfill one of those two properties.

How to install the certificates

To use SSL on my domains, you will need to install my root certificate. Otherwise, your browser will issue a warning, and you will never be able to be certain that the site you are visiting is really mine.

My root certificate is self-signed: this means it cannot be trusted as is. To verify its authenticity, you will need to check its GPG signature.

To do that, run the following commands:

$ wget http://certs.svasey.org/svasey_root.cer http://certs.svasey.org/svasey_root.cer.sig
$ gpg --verify svasey_root.cer.sig

To run the last command, you will need to fetch and trust my GPG key. If the output indicates a good signature, then you can be reasonnably certain that you have the correct root certificate.

You now need to import the certificate into your browser. For example, on Firefox do: Menu -> Edit -> Preference -> Advanced -> Encryption -> View Certificates -> Authorities -> Import and select example_root.cer.

Finally, you can import the certificate revocation list.

Fingerprints

Root certificate

The finerprints of the svasey root certificate (svasey_root.cer) are:

SHA1: D2:E0:1C:64:AF:02:EF:12:CB:8D:4E:6A:65:C2:D1:2F:57:53:02:4C
MD5 : 4C:F4:49:FE:2B:AE:03:EE:B0:86:43:D5:8A:09:DF:BB

svasey.org certificate

The fingerprints of the svasey.org certificate (svasey_org.cer) are:

SHA1: CC:2F:2D:8A:59:88:66:87:35:31:1C:BB:D1:35:B0:B5:4B:5E:E7:5D
MD5 : 57:21:E4:21:FB:85:5D:A0:B4:21:0C:93:CF:95:13:D7

Sebastien Vasey's Doc