

Know How To Roll Your SSL Certificates - zrail
https://www.petekeen.net/know-how-to-roll-your-ssl-certificates

======
spacefight
"There's not much you can do to protect yourself against a service provider's
certificate expiring,"

Well if you're a large bank or a heavyweight payment processor where an outage
means lost $$$$ and not only $, you could easily have a few SSL certs from
various root certs ready and roll one of them out once the sh*t hits the fan.

~~~
bwblabs
1) monitor the complete certificate chain

2) indeed have a backup certificate ready (might be non EV), this is
especially a must if you use HSTS [1] (which you should use BTW) it is
actually a (low priority) government recommendation (B5-6) in The Netherlands
[2], but that might have something to do with the government heavily using
DigiNotar which got compromised and had it root certificates revoked by
Microsoft which caused some communication issues..

[1]
[https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security)

[2] [https://www.ncsc.nl/binaries/nl/dienstverlening/expertise-
ad...](https://www.ncsc.nl/binaries/nl/dienstverlening/expertise-
advies/kennisdeling/whitepapers/ict-beveiligingsrichtlijnen-voor-
webapplicaties/1/ICT%2Bbeveiligingsrichtlijnen%2Bvoor%2Bwebapplicaties%2B%2B%2Bdeel%2B1%2B%2Bleesversie%2B.pdf)
(in Dutch)

~~~
peterwwillis
If you want to verify the complete chain or see if any of it is expired, I
wrote some tools that'll do just that. It uses a pre-existing directory of CA
certs (which you can generate with an included Makefile and cacert.pem) and
downloads intermediaries.

[https://github.com/psypete/public-bin/tree/public-
bin/src/ne...](https://github.com/psypete/public-bin/tree/public-
bin/src/networking/check-ssl)

------
simme_

        Just make a monthly recurring entry in your calendar that says "Check SSL certificates". 
    

If you rely on your calendar, it's simpler to create an entry in your calender
for changing the certificate a few days prior to its expiration date. Monthly
reminders will be ignored too easily.

~~~
dice
Better yet, add an SSL check to your monitoring system: open a ticket when
it's going to expire in 30 days.

~~~
zrail
FYI I updated the post to mention monitoring systems.

------
Someone1234
> This is easy. Just make a monthly recurring entry in your calendar that says
> "Check SSL certificates".

I was honestly expecting them to reference a monitoring service. It is
possible to do for free with Nagios if you have a Linux box kicking around on
your network. There are also paid services who will monitor your certificates
and send you a nice email when there is 30 days left to renew (including
several SSL registers).

~~~
spacefight
Yes, do it automated and do it daily or even multiple times a day.

~~~
miken123
You need to automate it if you have more than 1 site. If you have just one
site, you can just check the expiry date and put that in your calendar. No
need to check it on a monthly basis, no clue why the author of the post would
suggest that.

~~~
spacefight
Even root or intermediate certificates can be misconfigured without notice, it
doesn't need to be allways the expired date case.

------
tilsammans
I'd go with 2048 RSA key length, and put the certificate subject straight in
the command line:

    
    
      openssl req -nodes -newkey rsa:2048 -keyout www.example.com.2014.key -out www.example.com.2014.csr -subj "/C=COUNTRY/ST=STATE/L=CITY/O=COMPANY/OU=/CN=www.example.com"
    

I have exactly this in an Ansible playbook
[https://github.com/tilsammans/playbook](https://github.com/tilsammans/playbook)
(for rails).

~~~
zrail
The `genrsa` command is generating 2048 bit keys already. I added `-sha256`
and `-utf8` based on some other feedback, though. Thanks!

~~~
AlyssaRowan
The "default" in many configs is still actually 1024 bits, which is of course
too small.

------
bwblabs

      Process
      - Know where your key is
      - Know how to generate a new CSR from that key
    

It's adviced to use a NEW private key, in case there was a private key
compromise you didn't know about.

Also see
[https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Pr...](https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices_1.3.pdf)
(point 1.2).

BTW there is NO reason to regenerate the CSR if you reuse the private key.

~~~
zrail
Ah, that makes total sense. I'll update the post and the script.

Thanks!

 _Edit: updated_

~~~
mortenlarsen
You should not reuse private keys, you are wasting a opportunity to replace it
if it has been compromised without your knowledge.

------
relix
If you want to be notified when your SSL certificates are about the expire, or
when there's something wrong with them, I'm building a SaaS that will keep
track of these things for you:

[http://www.domainsquire.com/](http://www.domainsquire.com/)

~~~
devd
Best of luck with this! I had the same idea, but I prototyped a hack using
django admin + cron jobs.

------
joseacta
You can also configure alerts to be sent when domains and SSL certificates
expire using Expiration Reminder. We already have customers using it
specifically for SSLs:

[http://www.expirationreminder.net](http://www.expirationreminder.net)

------
kondro
All the certificate providers I've used get pretty insistent about renewing
certs (given the huge cash-cow it is for them), I'm surprised this is a very
common issue.

~~~
lucaspiller
I'd guess a lot of issues are it going to old email addresses. Either staff
who have left, team or company names changing, etc.

------
yawniek
slightly off topic: i wonder why google (or mozilla) do not add something like
a "less secure" root CA service where everybody can get a ssl cert for free
(after showing control over the domain).

this would degrade the annoying message to a simple warning and probably make
lots of hobbyist websites use only ssl.

(if you have to choose between annoy your user or just using plain http i
guess many choose the later.)

~~~
bwblabs
Ever heard of StartSSL Free?

[https://www.startssl.com/?app=39](https://www.startssl.com/?app=39)

~~~
simoncarter
StartSSL is great. I'm able to role and go live with SSL certs, now i've
written down the process, in less than half an hour, with checking and all
other stuff involved.

~~~
nucleardog
As much as I like the idea of free SSL certificates... For anything beyond a
personal site, even an hour is crazy.

I can have a basic SSL certificate in 15 minutes at the outside for like $8.
My time at work is worth a lot more than $8/hr.

~~~
simoncarter
I'm intrigued to know how the process for a 8$ cert is different to that of a
basic free StartSSL cert. The last paid for certificate I got was a year ago,
and getting a StartSSL certificate is just as streamlined a process as the
paid one. The only thing I can think of is if you are talking about
certificates with wild-card matching, which will save time on the individual
certificates you have to get when free. But for $8, is it possible to get a
wild-card matching one?

------
zdw
A good guide to creating your own CA to go with this:

[https://pki-tutorial.readthedocs.org](https://pki-tutorial.readthedocs.org)

~~~
tallanvor
Setting up your own CA is fine for certificates that will only be used
internally, but anything customer facing needs a customer issuing certificate
(unless you're a large enough company that can afford to get a certificate
that allows you to sign new certs.)

