Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [ssl]

SSL and its successor, TLS, are encryption and authentication protocols that encrypt the full contents of a TCP connection, as well as potentially verifying the identities of the devices making the connection.

SSL and its successor - TLS - is primarily used to encrypt the connection between two applications at the presentation layer. It is most often used to secure websites in the form of HTTPS protocol but can also be used for other protocols and applications.

7024 questions
80
votes
5 answers

Does each server behind a load balancer need their own SSL certificate?

If you have 5 web servers behind a load balancer (such as haproxy) and they are serving up content for the same domain, do you need SSL certificates for all the servers, or can you use the same certificate on each server? I know you can put all SSL…
Derek Gathright
  • 911
  • 1
  • 7
  • 5
80
votes
5 answers

Best location to keep SSL certificates and private keys on Ubuntu servers?

On Ubuntu, it looks like the best place for a private key used to sign a certificate (for use by nginx) is in /etc/ssl/private/ This answer adds that the certificate should go in /etc/ssl/certs/ but that seems like an unsafe place. Do .crt files…
Adam Nelson
  • 1,647
  • 3
  • 14
  • 12
78
votes
6 answers

Generating a self-signed cert with openssl that works in Chrome 58

As of Chrome 58 it no longer accepts self-signed certs that rely on Common Name: https://productforums.google.com/forum/#!topic/chrome/zVo3M8CgKzQ;context-place=topicsearchin/chrome/category$3ACanary%7Csort:relevance%7Cspell:false Instead it…
bcardarella
  • 1,737
  • 2
  • 12
  • 10
78
votes
11 answers

Remove "www" and redirect to "https" with nginx

I want to create a rule in nginx that does two things: Removes the "www." from the request URI Redirects to "https" if the request URI is "http" There are plenty of examples of how to do each of those things individually, but I can't figure out a…
Devin
  • 903
  • 1
  • 8
  • 8
73
votes
6 answers

Why are CA root certificates all SHA-1 signed (since SHA-1 is deprecated)?

I understand that SSL certs cannot be signed using SHA-1 anymore. Yet, all CA root certificates are SHA-1 signed (mostly). Does it mean the same algorithm that is no longer trusted for "you grandma SSL shop" is fine for the uttermost top secured…
131
  • 887
  • 1
  • 6
  • 10
73
votes
8 answers

Is STARTTLS less safe than TLS/SSL?

In Thunderbird (and I assume in many other clients, too) I have the option to choose between "SSL/TLS" and "STARTTLS". As far as I understand it, "STARTTLS" means in simple words "encrypt if both ends support TLS, otherwise don't encrypt the…
Foo Bar
  • 869
  • 1
  • 6
  • 10
72
votes
2 answers

Must CSRs be generated on the server that will host the SSL certificate?

Is it necessary to generate the CSR (Certificate Signing Request) on the same machine that will host my web application and SSL certificate? This page on SSL Shopper says so, but I'm not sure if that's true, because it would mean I'd have to buy a…
Mike M. Lin
  • 901
  • 1
  • 7
  • 8
69
votes
2 answers

Apache ProxyPass with SSL

I want to proxy requests from an SSL site via a non-SSL site. My Apache httpd.conf looks like this: ServerName foo.com ProxyPass / https://bar.com/ So, when I visit http://foo.com, I expect apache to…
tylerl
  • 15,055
  • 7
  • 51
  • 72
65
votes
4 answers

How to decide where to purchase a wildcard SSL certificate?

Recently I needed to purchase a wildcard SSL certificate (because I need to secure a number of subdomains), and when I first searched for where to buy one I was overwhelmed with the number of choices, marketing claims, and price range. I created a…
user664833
  • 1,277
  • 1
  • 11
  • 13
60
votes
11 answers

Why do I need to purchase an SSL certificate when I can generate one locally?

I am having trouble understanding why we need to purchase SSL certificates when we can generate them locally using openSSL. What is the difference between the certificate I purchase and a test certificate I generate locally? Is it just a big scam?
S-K'
  • 1,301
  • 3
  • 11
  • 15
60
votes
2 answers

What Should be the Permissions of Apache SSL Directory, Certificate, and Key?

I have my cert.pem and cert.key files in /etc/apache2/ssl folders. What would be the most secure permissions and ownership of: /etc/apache2/ssl directory /etc/apache2/ssl/cert.pem file /etc/apache2/ssl/cert.key file (Ensuring https:// access…
JP19
59
votes
4 answers

Download SSL certificate from aws certificate manager

I am using aws certificate manager for managing SSL. Recently I purchased a wildcard ssl *.example-private.com Now I need that SSL certificate to deploy on enterprise git instance on aws. How can i download ssl from aws?
Shailesh Sutar
  • 1,517
  • 5
  • 23
  • 41
59
votes
3 answers

Configure custom SSL certificate for RDP on Windows Server 2012 (and later) in Remote Administration mode?

So the release of Windows Server 2012 has removed a lot of the old Remote Desktop related configuration utilities. In particular, there is no more Remote Desktop Session Host Configuration utility that gave you access to the RDP-Tcp properties…
Ryan Bolger
  • 16,755
  • 4
  • 42
  • 64
58
votes
8 answers

Apache: SSLCertificateKeyFile: file does not exist or is empty

I am configuring SSL for Apache 2. My system is Ubuntu Server 10.04 LTS. I have the following settings related to SSL in my vhost configuration: SSLEngine On SSLCertificateKeyFile /etc/ssl/private/server.insecure.key SSLCertificateFile …
blueFast
  • 4,200
  • 13
  • 37
  • 54
57
votes
9 answers

How can I disable TLS 1.0 and 1.1 in apache?

Does anyone know why i can't disable tls 1.0 and tls1.1 by updating the config to this. SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 After doing this, i reload apache I do an ssl scan using ssllabs or comodo ssl tool, and it still says tls 1.1…
David
  • 683
  • 2
  • 6
  • 8
1
2
3
99 100