Configure SSL certificates

Background

It is common practice to have web servers serving content over HTTPS, which is the secure version of HTTP. In order to do this and make the connection secure, you need an SSL certificate from a certificate signing authority.

The role of the SSL certificate is to indicate the encryption of user data from a server exposed on the web. SSL is a key for encrypting information. When a website’s certificate is expired or invalid, or if it using a self-signed (unofficial) certificate, as a user you either get a warning saying, “go back to safety,” or can’t access the website over https - instead you see a message that says “Not Secure” in your web browser. This means that the certificate is not signed by an authority, so it’s not trusted.

In theory, if your web server is universally accessible and doesn’t contain forms for users with personal or confidential information, there is no strict need for HTTPS connection. But, HTTPS is the modern standard and without it, visitors will have impression that the website is not safe. Therefore it is good practice to always have HTTPS on your web server.

What this documentation will help achieve

SSL certificates for TU Delft researchers and staff may be requested by contacting the ICT service desk. TU Delft ICT will order SSL certificates on your behalf from a trusted certificate signing authority.

Prerequisites

  • TU Delft netID
  • Linux-based VPS provided by TU Delft ICT
  • (optional) 1-step SSH connection established (see instructions ___)

Tools/Software

  • None

Steps

  1. Generate .csr file
  2. Secure-copy .csr file from server to local machine
  3. Submit Certificate Server Request to TU Delft ICT via TopDesk form

Step 1. Generate .csr file

The Certificate Signing Request (.csr) file is a file generated by you in a standard format that contains all the information the signing authority needs to create a signed certificate. You will need to include this .csr file in submitting your SSL certificate request form to TU Delft ICT, and you should generate it on your VPS directly. The instructions for generating a .csr file come from here.

SSH to your VPS (____ link if you have followed the process to connect directly, you can use: username@localmachine ~ % ssh externalserveralias)

Enter following command in the terminal: Note: replace mydomain with your actual domain name:

username@externalserver ~ % openssl req -new -newkey rsa:2048 -nodes -keyout mydomain.key -out mydomain.csr

You will be prompted to answer a series of questions:

  • Country name: 2 letter abbreviation for your country. Netherlands is NL.
  • State or Province Name: this is where your org operates from. Zuid-Holland.
  • Locality Name - name of the city your org operates from. Don’t use abbreviations in this field.
  • Organisation Name - use your (organisation’s) full name.
  • Organisational Unit Name - Use a department name ex. “IT Department” or “Library”
  • Common Name - the FQDN that you are requesting an SSL certificate for.
  • Email address
  • Optional password (can skip step)
  • Optional company name

Your CSR file has now been generated. To find your CSR, take a look at the contents of your current working directory with the ls command. You should notice two new files ending with “.key” and “.csr” respectively. For example:

username@externalserver ~ % ls
-rw-r--r--. 1 root root 1082 Jan 31 12:10 mydomain.csr
-rw-------. 1 root root 1704 Jan 31 12:10 mydomain.key

The .key file should be kept private on your server. The .csr file is your certificate signing request, and can be sent to a Certificate Authority.

Step 2. Secure-copy .csr file from server to local machine

In this step we use Secure Copy protocol (SCP) which is a means of securely transferring files between hosts on a network. This example will save the file in the Home directory, but you can also save it into any other project folder on your machine.

Navigate to directory of choice. In this case, we’ll use home.

username@localmachine .ssh % cd ~

Use scp to secure copy .csr file from your external server. If you have followed ___these steps to enable 1-step SSH access to your VPS, you can do this using the alias you set, and the .csr file name which should be your external server FQDN.csr. Don’t forget to add the . at the end of the command.

username@localmachine ~ % scp externalserveralias:~/external-server-FQDN.nl.csr .

Check to see that it saved on your local machine using ls:

username@localmachine ~ % ls
Applications        Movies
Desktop             Music
Documents           Pictures
Downloads           Public
Dropbox             external-server-FQDN.nl.csr
Library             surfdrive

If you have not set up 1-step SSH connection to your VPS, the file transfer procedure from the VPS to your local computer is composed of two steps:

  1. From the VPS to the intermediary server, and
  2. From the intermediary server to the local computer.

For the first step use:

scp <path to the csr file> <netid>@<intermediary_server_address>:<a path in the intermediary_server> (e.g., scp thredds.tudelft.nl.csr mynetid@linux-bastion-ex.tudelft.nl:~).

In the second step, you need to copy the file from the intermediary server to the local computer using the same command but with a different source and destination:

scp <netid>@<intermediary_server_address>:<the path in the intermediary_server to the selected file> <a path in the local computer> (e.g., scp mynetid@linux-bastion-ex.tudelft.nl:~/thredds.tudelft.nl.csr .)

Please note, if you are a Windows user, for the second step you need to install cygwin and ssh to the intermediary server using:

ssh <netid>@<intermediary_server_address> (e.g., ssh mynetid@linux-bastion-ex.tudelft.nl).

Step 3. Submit Certificate Server Request to TU Delft ICT via TopDesk form

TU Delft ICT will use the information stored in your .csr file to get the SSL certificate from the signing authority and send the SSL certificate to you. In order to make this request, you must attach your .csr file from the previous step.

Navigate to TopDesk form for TU Delft. TOPdesk SSL certificate server request.

Choose “Attach file” and navigate to directory where .csr file is stored** (in this example, it is in “Home”). Select “external-server-FQDN.nl.csr”.

Submit request. You can delete this file from your home directory after you submit the form.

ICT will respond with a SSL certificate (with the extension .crt, .cer, and/or .pem) that comes from the signing authority. When you have this, you can configure the SSL certificate to work with the web server on your VPS.

Notes and Next Steps

SSL certificates can expire - TU Delft ICT will let you know when this is about to happen. To renew, you will need a new .csr file. You can send this to TU Delft ICT via the original TopDesk form and they will forward to the signing authority.

To use your SSL certificate with your web server, you need to change some configuration settings based on the web server you are using (e.g., Apache, nginx). See ___Set up an Apache web server for more information.