Ssl – Transferring SSL certificate to new server

godaddysslssl-certificate

We're swicthing from an OSCommerce website to Magento and are also swicthing servers. The old server is on Apache and our new one is on NGINX. The SSL certificate we have seems to have been purchased from GODADDY.

I've almost figured out how to switch our SSL certifcate from our old server to our new server. But have a few questions?

1. REKEY CERTIFICATE

I've discovered three types of SSL files from the old OSCommerce site apache virtual host:

SSLCertificateFile /etc/apache2/ssl/11-2013/09********ss.crt
SSLCertificateKeyFile /etc/apache2/ssl/11-2013/server.key
SSLCertificateChainFile /etc/apache2/ssl/11-2013/gd_bundle.crt

Can I just copy these to a location on the new server and reference them in the NGINX configuration file? Or do I need to generate a new ssl key, re-key the crt file(which one)?

2. NGINX CONFIGURATION
The NGINX configuration only seems to need reference to two files Apache does?

# Specify path to your SSL certificates.
#ssl_certificate /etc/nginx/certificates/yourcertificate.crt;
#ssl_certificate_key /etc/nginx/certificates/yourcertificate.key;

Which CRT file should I reference for NGINX, what about the other one?

3. SSL 3.0 & SHA1
When I check our site on DigiCert's SSL checker it says:

Protocol Support

TLS 1.0, SSL 3.0

SSL 3.0 is an outdated protocol version with known vulnerabilities.

SSL certificate

Common Name = ourdomain.com

Subject Alternative Names = ourdomain.com, www.ourdomain.com

Issuer = Go Daddy Secure Certification Authority

Serial Number = *****************

SHA1 Thumbprint = ***************************

Key Length = 4096 bit

Signature algorithm = SHA1 + RSA (deprecated)

Secure Renegotiation: Supported

How do I ensure we are using the correct protocol & SHA? Is this something I change in the new nginx configuration file?

Best Answer

ssl_certificate_key should contain what's presently in server.key, ie they server's unencrypted private key.

ssl_certificate should contain the server's certificate and the certificate chain, as explained in the documentation, in that order. So, that's basically the output of cat 09********ss.crt gd_bundle.crt

A handy online tool to quickly check out what exactly each of these -----BEGIN CERTIFICATE----- / -----END CERTIFICATE----- blocks contain is https://www.sslshopper.com/certificate-decoder.html - if you have a machine with openssl installed available, you can of course use 

openssl x509 -in certificate.crt -text -noout

With respect to the SSL/TLS configuration, I like this page in the Mozilla wiki. It explains most of the acronyms that you may encounter, and gives sound advice relative to sensible configurations. There's an accompanying online tool that will create reference setups for Apache, nginx, haproxy and the AWS LB, here. As an example, a full nginx config, featuring OCSP stapling and HSTS using the intermediate profile looks like this, but you need to understand that these profiles evolve and should thus be updated regularly.

server {
    listen 443 ssl;

    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /path/to/signed_cert_plus_intermediates;
    ssl_certificate_key /path/to/private_key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /path/to/dhparam.pem;

    # intermediate configuration. tweak to your needs.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;

    resolver <IP DNS resolver>;

    ....
}

Once all that put in place and tested, head over to ssllabs and run a test. If you missed something, you'll see what still needs to be done.

Related Topic