Lighttpd SSL Administration Linux

Download PDF

Introduction

 

When ordering an SSL certificate a Certificate Signing Request (CSR) is required, This is generated from a private key.

 

If you wish to generate the private key yourself you also need to generate the CSR, follow Generating a CSR and afterwards Installation of SSL certificate.

 

If you already have the private key and certificate ready you just follow Installation of SSL certificate.

 

This guide is created using OpenSSL 1.1.1f and Lighttpd 1.4.55 with default settings.

This guide describes how to create, install and configure SSL in lighttpd on Linux.

This guide fits Ubuntu, Redhat, CentOS, etc. Minor changes in paths and commands can be needed for other versions of Linux.

 

  1. Run the following command to see which version of OpenSSL is installed:

 

openssl version

 

 

  1. Run the following command to see which version of lighttpd is installed:

 

lighttpd -v

 

 

  1. You can generate an SSL configuration text at Mozilla SSL Configuration Generator which you can then modify to fit your server.

You can choose between the following settings. We recommend intermediate if you have no specific reason to select something else, and that you do not activate HSTS unless you are sure know what you are doing.

 

    • Modern: Provides higher security but lower compatibility as it prevents access for older browsers and clients.

Recommended if all clients are known, e.g. on an internal website.

 

    • Intermediate: A balance between medium-high security and high compatibility.

Generally recommended for serveres that is accessed by unknown clients, e.g. a webshop. This optimises the security while still allowing slightly older clients access the website.

 

    • Old: Low security, highest compatibility.

This setting is only recommended if compatibility is more important than security as it opens for abandoned SSL standards that has known security holes.

 

    • HSTS: (HTTP Strict Transport Security) is a header from the server that tells the client that the DNS name may only be accessed through HTTPS going forward. This will be remembered by the client for an amount of time equal to the max-age set, regardless if it's removed from the server again, so there is no way back if it fails.

Follow a thorough guide, be conservative and set the max-age to 300 seconds (5 minutes) for at least a week before it is gradually raised.

Watch out for sub-domains and pre-load, unless everything is already running HTTPS.

 

    • OCSP Stapling: It is definitely advantageous to activate OCSP. IT allows the server to collect the status of the certificate regularly and deliver the information to the client, instead of each client having to look up the status every time.

 

 

Generating a CSR

 

In this example we have used a single DNS name, which works for both standard and SAN certificates, for a wildcard the Common name should be replaced with *.fairssl.dk

 

To be able to generate the CSR and complete the order you will need the following information:

 

  • Common Name (CN): The primary fully qualified domain name. e.g.: www.fairssl.dk
  • Organization Name (O): The full company name, exactly as presented in CVR. e.g.: FairSSL A/S (is only required for OV and EV certificates)
  • Organizational Unit (OU): The department that is to use the certificate. It may not be possible to conflate the name with another company. IT is recommended to leave it empty or use the company name. e.g.: FairSSL A/S (is not used any more and should be left empty)
  • Locality (L): City name. e.g.: Ørum Djurs
  • State (S): State or municipality, in Denmark the municipality is used. e.g.: Norddjurs
  • Country (C): ISO-standard two-letter country code, must be capitalised. e.g.: DK

 

we use OpenSSL for creating the private key and CSR. OpenSSL is installed under /usr/local/ssl/bin in a default installation.

 

Generating the private key

 

  1. Login to the server with an administrator account.

 

  1. Run the following command to generate a 2048-bit Diffie-Hellman parameter:

 

sudo openssl dhparam -out /etc/ssl/private/dhparam.pem 2048

 

 

  1. Run the following command to generate a private RSA 2048-bit key without password:

 

sudo openssl genrsa -out /etc/ssl/private/www.fairssl.dk.key 2048

 

 

We create the private key in /etc/ssl/private/ because it is a secured folder specifically created for this purpose.

 

Do not ever send the private key to us in an email.

The private key file should be kept secure and should not leave the server. It is not possible to use smaller keys like RSA 1024-bit.

 

Generating the CSR

 

  1. Run the following command to create a CSR with the private key you created:

 

sudo openssl req -new -key /etc/ssl/private/www.fairssl.dk.key -out /etc/ssl/private/www.fairssl.dk.csr

 

Enter the information you collected earlier for the certificate followed by [ENTER], remember that Country Name has to be capitalised. Leave the 3 last fields empty as shown below:

 

Country Name: DK

State or Province Name: Norddjurs

Locality Name: Ørum Djurs

Organization Name: FairSSL A/S

Organizational Unit Name: FairSSL A/S

Common Name: www.fairssl.dk

Email Address:

A Challenge Password:

An Optional Company Name:

 

 

  1. You can confirm that your CSR is generated correctly with the following command:

 

sudo openssl req -noout -text -in /etc/ssl/private/www.fairssl.dk.csr

 

 

  1. Open the CSR file with a text editor (e.g. sudo nano /etc/ssl/private/www.fairssl.dk.csr) and copy the entire text, incl. all the dashes at the beginning and end.

Insert the copied text in the CSR field during the certificate ordering.

The following is an example of a complete CSR text:

 

 

A CSR does not contain any private information, and there are no security risks by sending the CSR to us through an unencrypted email.

 

Installation of SSL certificate

 

  1. Login to the server with an administrator account.

 

  1. Create the following files where your private key is located named (e.g. /etc/ssl/private/www.fairssl.dk.pem):

intermediate.pem: Copy the full text from the intermediate certificate into the file.

www.fairssl.dk.pem: Open your private key in a text editor (e.g. sudo nano /etc/ssl/private/www.fairssl.dk.key) Copy the entire text into the file. Then copy the text from your certificate you got in the email into the file.

 

 

 

  1. Open lighttpd.conf in a text editor (e.g.: sudo nano /etc/lighttpd/lighttpd.conf).

Copy the configuration you generated in the Introduktionen into the file, and modify it so it fits the website.

If you already have an https configuration you just need to modify it.

 

 

  1. When you are done you need to restart the server

 

/etc/init.d/lighttpd restart

 

We recommend that you test the installation with our server tester at https://www.fairssl.net/en/ssltest

 

Intermediate certificates

 

Here you can find the intermediate certificates from different Certificate Authorities.

We recommend that you use the intermediate certificate you got with your server certificate, and only download from here in case you lose it, as the one you get in the mail will always be the correct one for your server certificate.

 

Intermediate certificates