How to install and configure LibreSSL. I explain its importance in my CloudFlare article. Before continuing, download the latest version here. Or get the latest version using this command:
$ curl -O "http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/"$(curl -s "http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/SHA256" | grep "(libressl-\d.\d.\d.tar.gz)" | tail -1 | cut -c 9-29)
1) Unpack LibreSSL
$ tar -xzvf libressl-2.1.3.tar.gz
$ cd libressl-2.1.3
$ ./configure
$ make
$ sudo make install
2) Install LibreSSL locally
If you’re using LibreSSL version 2.0.0 or earlier:
$ ./configure --prefix=/usr LDFLAGS=-lrt && make check && sudo make install
Fortunately, LibreSSL runs all the OpenSSL commands. So you can probably find tutorials that tell you how to configure OpenSSL and apply that to LibreSSL. Think of LibreSSL as the non-broken version of OpenSSL.
To check if it installed properly:
$ which openssl
> /usr/local/bin/openssl
$ openssl version
> LibreSSL 2.1.3
3) Making the certificate
3.1) Your Private Key
Now, you’ll need to use a password to make your private-key file. Think of something that isn’t a common thing. Maybe get a password generator but store it somewhere you can retrieve it, like a password manager. You can put your private key file anywhere and name it whatever as long is it’s “something.key”
$ openssl genrsa -des3 -out privatekey.key 2048
3.2) The Certificate Request
Now you need to make a CSR (Certificate Signing Request) file. This is also the public key. This is information about your company to maintain integrity, i.e. so people know you’re the host sending them responses. First of all, you can save this anywhere as long as the extension is “something.csr”. Usually, it’s best if you save it as “domain.csr”.
The terminal will ask you each of the following questions:
- Country code [C]: check your country here
- Province/STate name [ST]: spell out your province or state fully
- City/Location [L]: the city your company is registered under
- Organization Name [O]: Your legal business name
- Organizational Unit Name [OU]: (Optional) What part of the company are you?
- Common Name [CN]: the hostname+domain, i.e. “domain.com” is different than “www.domain.com”. In our case, we’re putting SSL on our IP address, not a usual occurrence.
Do not enter an email address, challenge password or an optional company name when generating the CSR.
You can run the following command or you can change the configuration file settings:
$ openssl req -new -key privatekey.key -out domain.csr
3.2.1) Config Files
Using a configuration file will allow you to customize your certificate more than if you don’t. The reason why I’m recommending you do is because you can put multiple hosts, i.e. you can enter “www.example.com” AND “example.com” for the same config file. Otherwise, the certificate will only be valid for the default subdomain. You could also forward www to no-www or vice versa and just do one of them. I did that by doing CloudFlare > Page Rules > forwarding www.communote.net/* to https://communote.net.
It also allows you to use it if you have multiple domain endings, e.g. “example.me” or “example.org”.
The configuration file outlines the default settings for the certificate.
Make a new file and call it “something.cnf“. Usually, it should be named “openssl.cnf”. By the way, if you’re Googling this, there are two encodings for configuration files: DER and PEM. I’m using PEM.
Here’s a sample certificate. The certificate will use the following format. There are limitations to the lengths of the inputs. Usually, when you look at documentation, attribute is the question the terminal asks when requesting the value for the given attribute, attribute_default is the value if you don’t put a value, attribute_min is the minimum length of your input, and attribute_max is the maximum length of your input. A ‘.’ represents an empty input. Comments are denoted by an octothorpe ‘#’. Yes I just wanted to say octothorpe. I played around with the file a bit to get a better understanding of how it works. Take the following code, alter DNS.1 with “www.yourdomain.com” add any other domains that you want as additional alt_names, and save it in your config file:
[ req ]
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = California
localityName = City of your company
localityName_default = San Francisco
organizationalUnitName = Department
organizationalUnitName_default = IT Department
commonName = Domain Name
commonName_max = 64
commonName_default = example.com
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = www.example.com
#DNS.2 = helpdesk.example.org
#DNS.3 = *.example.org
#IP.1 = 192.168.1.1
Make the CSR with:
$ openssl req -new -key privatekey.key -out domain.csr -config openssl.cnf
You can check what you made by running:
$ openssl req -text -noout -in domain.csr
3.3) Signing the certificate
Quick note before I continue. Methods like this to obtain a TLS certificate are called “self-signed” because you sign them yourself. The alternative is paying for a subscription from a TLS provider. There are varying differences in security, but self-signed certificates can still have a lot of the same features that those from Certificate Authorities (CA) have. The only difference is how long they are valid. When someone cracks your passphrase, you need to change it ASAP or else they can spoof your certificates, which permits them to send viruses and crap to your users who think that you’re the one sending them.
If you self-sign your certificates, you can only either assign a days limit before the certificate expires or let it never expire. With CA certificates, you can renew your certificates on-demand. For this reason, sites with “self-signed” certs are called insecure by browsers. It’s ok to use this behind CloudFlare, though. For the next step, the self-signing stage, think of the number of days would make you feel safe about a certificate. I’d say 90 days. Circle the day on your calendar when you have to renew the certificate and use a different passphrase. Save it as “something.crt“.
$ openssl req -x509 -days 90 -key privatekey.key -in domain.csr -out certificate.crt
Each certificate generally applies to one sub-domain, i.e. “www.example.com” OR “example.com”, not both. However, you can get a wildcard certificate that applies to everything within one level of sub-domains, i.e. not “sub.sub.domain.com”.
You can review your certificate with the following command:
$ openssl x509 -in certificate.crt -noout -text -purpose | more
Some things will ask for “.pem” files. Actually, pretty much all of these are “.pem” files. You can just rename all the extensions to “.pem”, similar to this.
Soon, I’ll talk about how to configure this with AWS or Nginx or Tornado. Also, a bit about what cacert is.