Table of Contents

SSL Certificates - Basics

SSL (Secure Socket Layer) certificates are used to secure online communications and establish trust between a website and its users. They do this by encrypting the data being transmitted and authenticating the website's identity.

An SSL certificate contains information about the identity of a website and the organization that operates it, as well as a public key used to encrypt communication. When a user's browser connects to a website with an SSL certificate, it verifies the certificate's authenticity and creates a secure, encrypted connection. This protects sensitive information, such as login credentials and credit card numbers, from being intercepted by attackers.

What’s the difference between TLSand SSL?

TLS (Transport Layer Security) is the successor to SSL (Secure Socket Layer). While SSL is no longer widely used, it is still commonly referred to as SSL, but in reality it's using TLS.

The main difference between SSL and TLS is that TLS is an improved and more secure version of SSL. TLS uses stronger encryption algorithms and has better protection against security threats, such as man-in-the-middle attacks. TLS is also more flexible and allows for negotiation of the encryption algorithms used between the client and server.

Both SSL and TLS are cryptographic protocols that provide secure communication over the internet. They are used to encrypt sensitive data, such as credit card numbers and login credentials, when transmitted between a client and server. However, it's recommended to use TLS instead of SSL for increased security.

How to use OpenSSL to generate a certificate for personal use (self-hosting, internal/LAN sites)

1. Install OpenSSL:

1.1. Generate a private key:

 openssl genpkey -algorithm RSA -out private_key.pem -aes256

2. Create a certificate signing request (CSR):

(The CSR is a file that contains information about your website and your public key. It is sent to a certificate authority (CA) to request a certificate.)

 openssl req -new -key private_key.pem -out cert.csr

3. Self-sign the certificate:

(Since you're generating a personal certificate, you'll be signing it yourself instead of sending it to a CA.)

 openssl x509 -req -days 365 -in cert.csr -signkey private_key.pem -out certificate.crt

4. Configure the web server.

How to create a wildcard SSL Certificate on Debian Bullseye using Cloudflare DNS

Step 1: Install Certbot

  1. Open a terminal on your Debian Bullseye server.
  2. Update the package list and install the Certbot package:
sudo apt update && sudo apt upgrade
sudo apt install certbot

Step 2: Install Certbot Cloudflare DNS Plugin

  1. Install the Certbot Cloudflare DNS plugin using pip:
sudo apt install python3-pip
sudo pip3 install certbot-dns-cloudflare

Step 3: Configure Cloudflare API Token

  1. Log in to Cloudflare Dashboard: Open a web browser and log in to your Cloudflare account.
  2. Navigate to API Tokens: Once logged in, click on your profile picture in the top-right corner and select “My Profile.”
  3. Access API Tokens: In the left sidebar, click on “API Tokens.”
  4. Create a Token: Click on the “Create Token” button.
  5. Choose Token Type: Select “Create Custom Token” since we need to define specific permissions.
  6. Configure Token:
    1. Your permissions configuration should look like this:
      1. Token Name: Give your token a meaningful name, like “Certbot DNS Token.”
      2. Permissions:
        1. Select “Zone” then “Zone” then “Edit”
        2. Click “Add more”
        3. Select “Zone” then “DNS” then “Edit”
      3. Zone Resources:
        1. Select “Include” then “Specific Zone” then the domain(s) for which you want to generate the wildcard SSL certificate
      4. You don't need to modify “Client IP Address Filtering” or “TTL”
      5. Continue to Summary:
        1. Click “Continue to Summary”
      6. Review and Create:
        1. Review your settings, make sure they are correct, and click “Create Token.”
  7. Copy API Token:
    1. Once the token is created, you will see a success message. Copy the API token immediately. This token won't be visible again, so ensure you save it securely.

API Token for DonFerris.me:
epLNvvSOs4yDvADkG4nD0KN6jSTSQwDjBvc77Frd

Step 4: Test the token

  1. Below the generated DNS token you'll see a code block for a CURL command to test the token. Follow the instructions to copy and paste that code block into a terminal window. After executing the code block you should see, in the output, “message”:“This API Token is valid and active”

Step 5: Obtain Cloudflare API Credentials

  1. Create a Cloudflare credentials file to store the API token securely. Replace YOUR_CLOUDFLARE_API_TOKEN with the actual token:
echo 'dns_cloudflare_api_token = YOUR_CLOUDFLARE_API_TOKEN' | sudo tee /etc/cloudflare.ini 
sudo chmod 600 /etc/cloudflare.ini
  1. Review the change:
cat /etc/cloudflare.ini

Step 6: Obtain the Wildcard SSL Certificate

  1. Run Certbot to obtain the wildcard certificate. Replace example.com and *.example.com with your actual domain:
sudo certbot certonly \
  --dns-cloudflare \
  --dns-cloudflare-credentials /etc/cloudflare.ini \
  --agree-tos \
  -d *.[MY_DOMAIN]
  1. Follow the prompts to provide an email address and complete the process.

Step 7: Configure Your Web Server

  1. Update your web server configuration to use the new SSL certificate. The exact steps depend on your web server (e.g., Apache, Nginx).

2.3 Verify the certificate by visiting the website and checking the security information in the browser.

Note: Let's Encrypt certificates are only valid for 90 days but certbot automates this process, renewing the certificate before it expires.

For Docker containers, certificates should be generated on the host.

2.4 Map the certificate location to the Docker container:

To make the certificate accessible to the web server running in the Docker container, map the location of the certificate on the host machine to a location within the container. This can be done using the -v option when starting the Docker container or by using a bind volume.

Wildcard certificates

A wildcard certificate is a type of SSL certificate that allows multiple subdomains with a single certificate, rather than requiring a separate certificate for each subdomain.

For the domain example.com, www.example.com and subdomain.example.com would each require individual certificates — but a wildcard certificate secures both subdomains (and all other subdomains) with a single certificate. Wildcard certificates are issued with a common name in the format *.example.com, which makes it easier and more cost-effective to secure multiple subdomains.

To generate a wildcard certificate using certbot and Let's Encrypt:

3.1 Install certbot-dns-plugins:

 sudo apt install certbot-dns-plugins

3.2 Run certbot:

 sudo certbot certonly --dns-cloudflare --email <your-email-address> --agree-tos -d '*.example.com'

3.3 Configure the DNS provider:

3.3.1 Log in to your Cloudflare account: Go to the Cloudflare website and log in to your account.

3.3.2 Create an API token: From the Cloudflare dashboard, navigate to the API Tokens page. On the API Tokens page, click the “Create Token” button.

3.3.3 Define the API token permissions: In the “Create a Token” dialog, you'll need to define the permissions for the API token. To allow certbot to make changes to your DNS records, you'll need to select the “Zone.Zone.Edit” permission. You can also select other permissions if you want to allow certbot to perform additional actions in Cloudflare.

3.3.4 Give the API token a name: Give the API token a descriptive name, such as “Certbot API Token”, so that you can easily identify it later.

Save the API token: When you're done defining the API token, click the “Save” button. Cloudflare will generate the API token and display it in the “Create a Token” dialog.

Copy the API token: Copy the API token to your clipboard, as you'll need to use it when running certbot.

With these steps, you'll have created an API token in Cloudflare that certbot can use to make changes to your DNS records. When you run certbot to generate the wildcard certificate, you'll need to use the –dns-cloudflare option, along with your email address and the API token you created, to allow certbot to make changes to your DNS records in Cloudflare.

[email protected] Are there any advantages to installing a wildcard certificate on my router? A wildcard certificate can provide several advantages when installed on a router, such as:

Convenience: A wildcard certificate allows you to secure multiple subdomains with a single certificate, making it more convenient to manage than multiple individual certificates for each subdomain.

Improved security: By securing all subdomains with a single certificate, you can reduce the risk of a subdomain being left unsecured, which can lead to security vulnerabilities.

Centralized management: With a wildcard certificate installed on a router, you can manage the certificate in a centralized location, making it easier to make updates and renew the certificate as needed.

Reduced cost: Depending on the certificate authority, a wildcard certificate may be less expensive than purchasing multiple individual certificates for each subdomain.

Improved user experience: When a subdomain is secured with a valid certificate, users can access the subdomain over a secure connection, which can help to improve their experience and increase their trust in the website.

Overall, a wildcard certificate can provide several benefits when installed on a router, especially for organizations that need to secure multiple subdomains for their website or web-based applications.

[email protected] Those are the advantages of a wildcard certificate in general. Are there advantages to installing it specifically on my router vs. any other machine on my network? Yes, there are specific advantages to installing a wildcard certificate on a router:

Centralized management: Installing the wildcard certificate on the router centralizes the certificate management, making it easier to manage the security of all subdomains on the network from a single location.

Improved network security: By securing all subdomains at the network level, you can improve the overall security of your network, as all network traffic to and from the subdomains will be encrypted.

Consistent security: Installing the wildcard certificate on the router ensures that all subdomains on the network are secured consistently, reducing the risk of a subdomain being left unsecured.

Improved performance: By using the router as a termination point for SSL/TLS traffic, you can offload SSL/TLS processing from other devices on the network, which can improve their performance and reduce the risk of performance issues.

Cost savings: Depending on the number of subdomains you need to secure, installing a wildcard certificate on the router may be more cost-effective than purchasing individual certificates for each subdomain.

Overall, installing a wildcard certificate on a router has several advantages for securing a network, including centralized management, improved security, consistent security, improved performance, and cost savings.