We're swicthing from an OSCommerce website to Magento and are also swicthing servers. The old server is on Apache and our new one is on NGINX. The SSL certificate we have seems to have been purchased from GODADDY.
I've almost figured out how to switch our SSL certifcate from our old server to our new server. But have a few questions?
1. REKEY CERTIFICATE
I've discovered three types of SSL files from the old OSCommerce site apache virtual host:
SSLCertificateFile /etc/apache2/ssl/11-2013/09********ss.crt
SSLCertificateKeyFile /etc/apache2/ssl/11-2013/server.key
SSLCertificateChainFile /etc/apache2/ssl/11-2013/gd_bundle.crt
Can I just copy these to a location on the new server and reference them in the NGINX configuration file? Or do I need to generate a new ssl key, re-key the crt file(which one)?
2. NGINX CONFIGURATION
The NGINX configuration only seems to need reference to two files Apache does?
# Specify path to your SSL certificates.
#ssl_certificate /etc/nginx/certificates/yourcertificate.crt;
#ssl_certificate_key /etc/nginx/certificates/yourcertificate.key;
Which CRT file should I reference for NGINX, what about the other one?
3. SSL 3.0 & SHA1
When I check our site on DigiCert's SSL checker it says:
Protocol Support
TLS 1.0, SSL 3.0
SSL 3.0 is an outdated protocol version with known vulnerabilities.
SSL certificate
Common Name = ourdomain.com
Subject Alternative Names = ourdomain.com, www.ourdomain.com
Issuer = Go Daddy Secure Certification Authority
Serial Number = *****************
SHA1 Thumbprint = ***************************
Key Length = 4096 bit
Signature algorithm = SHA1 + RSA (deprecated)
Secure Renegotiation: Supported
How do I ensure we are using the correct protocol & SHA? Is this something I change in the new nginx configuration file?
Best Answer
ssl_certificate_key
should contain what's presently in server.key, ie they server's unencrypted private key.ssl_certificate
should contain the server's certificate and the certificate chain, as explained in the documentation, in that order. So, that's basically the output ofcat 09********ss.crt gd_bundle.crt
A handy online tool to quickly check out what exactly each of these
-----BEGIN CERTIFICATE-----
/-----END CERTIFICATE-----
blocks contain is https://www.sslshopper.com/certificate-decoder.html - if you have a machine with openssl installed available, you can of course useWith respect to the SSL/TLS configuration, I like this page in the Mozilla wiki. It explains most of the acronyms that you may encounter, and gives sound advice relative to sensible configurations. There's an accompanying online tool that will create reference setups for Apache, nginx, haproxy and the AWS LB, here. As an example, a full nginx config, featuring OCSP stapling and HSTS using the intermediate profile looks like this, but you need to understand that these profiles evolve and should thus be updated regularly.
Once all that put in place and tested, head over to ssllabs and run a test. If you missed something, you'll see what still needs to be done.