Getting my SSL house in order

Last week's Sonoma State Computer Science Colloquium welcomed Jeremy Gillula from the EFF to talk about their Let's Encrypt project. The have many goals, but basically they want to make it easy and free to encrypt all websites.

This got me thinking that I needed to get the SSL certificate I use here re-issued to move away from SHA-1. In resolving that problem, I wanted to see if I could up my Qualys SSL Labs score. I was able to get my certificate re-issued relatively easily, but I had some chain issues. One of the reasons why Let's Encrypt exists, is because encryption is hard. Jeremy even made the point many of us sysadmins do all the time - it's even hard for people like us who have been doing computers for years.

I always thought chains only mattered on the client, so that you could very the server's certificate all the way back to the CA. Turns out, you should be configuring your server to also present the chain to the client. My certificate vendor sent me the two chain files and the CA file. All I had to do was place the files on the server, and add in the correct Apache config directives.

  SSLCACertificateFile    /etc/apache2/ssl.crt/AddTrustExternalCARoot.crt

  # Server Certificate Chain:
  SSLCertificateChainFile /etc/apache2/ssl.crt/COMODORSAAddTrustCA.crt

  # Server Certificate Chain:
  SSLCertificateChainFile /etc/apache2/ssl.crt/COMODORSADomainValidationSecureServerCA.crt

After reloading Apache's config, I was able to get an "A" on the Qualys SSL report. Turns out it wasn't as hard as I thought.

Doc's Random Thoughts