Setting Up HTTPS Is Child's Play Now
In the past, and in some specific cases, setting up a valid X509 certificate for your website/webapp to let it provide HTTPs connections has been a painful process broken into many steps. For our luck, it has changed.
Before you needed the following:
- Generate a key pair using a command like this
openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048, then extract the public key using a command like this
openssl rsa -pubout -in private_key.pem -out public_key.pem;
- After that you you would need to describe the domain information, contact, etc, and sign with your private key to generate a Certificate Signing Request (CSR). That could be generated using a openssl command for example. I used this tool to generate the arguments for me;
- Submit the CSR to a Certificate Authority (CA) that would sign your CSR;
- Pay the CA to get its signature (at least 10 USD/year each);
- The CA would send an email to admin@yourdomain in an attempt to verify that you are the owner of that domain;
- The CA will give you back your desired X509 certificate. This certificate is configured in your web server to enable HTTPS connections that would be trusted by all browsers;
- Setup your webserver, e.g. Nginx, to enable HTTPS and load your certificate and private key. You also needed to make sure that the chain of trust is correct (i.e., as there are Root CAs and Intermediate CAs, your certificate may be signed by an intermediate, but browsers usually only now Root CAs. The point of this chain of trust is to link the Intermediate CA that signed your certificate to the trusted Root CA);
- Perform a TLS Hardening. Disable SSLv1, SSLv2, SSLv3 and make sure that you defend against all SSL/TLS attacks. Specify ciphers with high entropy as well. There are specific guides for that like this or this;
- Test your configuration against SSL Labs.
But now some players changed the game.
Let's Encrypt provides free certificates. Many didn't enable HTTPS because you need to pay and the process is not simple as I've shown above.
After that, Amazon Certificate Manager was launched and now it provides free certificates and without complexity! It handles the creation and renewal, although I believe that you can't pull off the private key. They manage it entirely for you to associate with their load balancers or their Content Delivery Network (CDN) named CloudFront.
I just took my time to setup HTTPS for the static sites that I managed, such as findmyninja.io, specified the names (findmyninja.io, www.findmyninja.io), confirmed the ownership by clicking in a link sent to admin@domain, and that's it. The last step left was to associate this certificate with the CloudFront Distribution and it was done.
For your own server, the process is still painful, but there are some scripts generated on top of Let's Encrypt that generate the cert and renew it when needed automatically. Check it out.
If you enable HTTPS, but forget to force the client to connect over HTTPS, that won't help much. Start redirecting HTTP to HTTPS and then try your best to enable HTTPS only. For Cloudfront Distributions, it is a point and click configuration. Don't forget to enable it on the distribution behavior.
One more thing. Remember that HTTPS is NOT only about encryption, it's about endpoint authenticity as well. So, even if your site doesn't handle sensitive information, such as passwords, you still need HTTPS. It's a way for the client to know that it is talking to the correct server instead of a malicious one. Make sure you set it up :)
That's all I have for today. Hope you enjoyed!