Summary
1. 秘密鍵の作成 (server.key)
2. 公開鍵の作成 (server.csr)
3. 証明書発行機関に申請
4. 証明書付き公開鍵の配置 (server.crt)
5. 中間証明書の配置 (sub.class1.server.ca.pem)
6. PFS用の鍵を作成 (dhparam.pem)
7. nginxの設定、設定確認、再起動
8. SSLの設定確認 (verisign, GeoTrust, Qualys SSL Labs等)
9. HTSTプリロードに登録
秘密鍵作成、公開鍵作成
% openssl genrsa -des3 -out /etc/nginx/ssl/server.key 2048 -sha256
% openssl req -new -sha256 -key /etc/nginx/ssl/server.key -out /etc/nginx/ssl/server.csr
Enter pass phrase for /etc/nginx/ssl/server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Tokyo-to
Locality Name (eg, city) []:Itabashi-ku
Organization Name (eg, company) [Internet Widgits Pty Ltd]:example inc
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:example.com
Email Address []:user@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
PFS (Perfect Forward Secrecy) 用の鍵 dhparam.pem を作成
% openssl dhparam -outform pem -out /etc/nginx/ssl/dhparam.pem 2048
/etc/nginx/site-available/example.com
server {
listen 443 default ssl;
server_name example.com
ssl on;
# サーバ証明書
ssl_certificate /etc/nginx/ssl/server.cer;
# 秘密鍵
ssl_certificate_key /etc/nginx/ssl/server.key;
# allow Nginx to send OCSP results during the connection process
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/ssl/sub.class1.server.ca.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# recommended cipher suite
ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC 3-SHA +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !EXP !PSK !SRP !CAMELLIA !SEED';
# make the server choose the best cipher instead of the browser
# Perfect Forward Secrecy(PFS) is frequently compromised without this
ssl_prefer_server_ciphers on;
# Use 2048 bit Diffie-Hellman RSA key parameters
# (otherwise Nginx defaults to 1024 bit, lowering the strength of encryption # when using PFS)
# Generated by OpenSSL with the following command:
# openssl dhparam -outform pem -out /etc/nginx/ssl/dhparam2048.pem 2048
ssl_dhparam /etc/nginx/ssl/dhparam2048.pem;
# Cache SSL Sessions for up to 10 minutes
# This improves performance by avoiding the costly session negotiation process where possible
ssl_session_cache builtin:1000 shared:SSL:10m;
# enable HSTS including subdomains
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
...
}
設定の評価
QUALYS SSL LABS - SSL Server Test
https://www.ssllabs.com/ssltest/
GeoTrust CryptoReport
https://cryptoreport.geotrust.com/checker/
HSTS Preloadに登録
HSTS Preload にドメインを登録する。
Reference
Strong SSL Security on nginx - Raymii.org
https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
POSTD - NginxでHTTPS : ゼロから始めてSSLの評価をA+にするまで Part 1
http://postd.cc/https-on-nginx-from-zero-to-a-plus-part-1/
POSTD - NginxでHTTPS : ゼロから始めてSSLの評価をA+にするまで Part 2
http://postd.cc/https-on-nginx-from-zero-to-a-plus-part-2-configuration-ciphersuites-and-performance/
HSTS Preload
https://hstspreload.appspot.com/