Is production: true
#migrated #outdated

Title: Creating https system

Created: 20 Nov 2019 Modified: 20 Nov 2019

Description: A guideline about the ssl setup and application with nginx or spring application



Normally if you needed to secure a website through ssl, quite a lot of stuff needed to be done.

Approches

Base on the difference between type of application servers or apache, there will be different details.

The basic approaches are listed below:

  1. Create application that works with https directly

  2. Create application behine reverse proxy server(e.g. nginx) and forward to the application

Approach 1

The appache is much more secure than approach 2, since the payload is encrypted end to end between web client and the application. But the setting varies base the application and framework, developer have to study in deepth on the langugae and framework.

Approach 2

This appache use the reverse proxy server to handle the encryption process between web client and the application. The reverse proxy server have be located inside trusted network, and connection between reverse proxy and the application should be secure with extra method. This approach actual meets the general requirements for security and fit microservice architect which separate the responsible of security and business logic.

SSL certificate occuring

Buy SSL

The most simple way to get and ssl certificate is to buy from SSL providers.

  1. buy ssl cert online from ssl cert provider

  2. generate CSR [Link]

    openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

  3. Submit ssl cert to cert provider

  4. There will be a validation process, through email or dns text much more restricted validation

  5. If the process passed, cert files will be sent through email

Setup SSL certificate from provider to webserver

Normally, The SSL provider will return a zip file containing two or three files

  1. xxxx.cert

  2. xxxx.ca-bundle (or ca cert and intermidiate cert, which can be simply cat two file togather to obtain xxxx.ca-bundle)

In case using apache, the xxxx.cert, xxxx.ca-bundle and server.key can be used directly for apache server.

If using java spring, a xxxx.p12 file is needed, so we have to convert the cert in to pkcs12 format. [Link]

openssl pkcs12 -export -in xxxx.crt -inkey server.key -certfile xxxx.ca-bundle -out keystore.p12
``

[[Legacy Link]](https://xeth0102.atlassian.net/wiki/spaces/DW/blog/2019/11/20/259522561/Creating+https+system)