[Metalab Issues] #349: metalab.at, lists.metalab.at TLS certificate expires 2015-08-25, renew, improve!
Metalab Issues
issues at lists.metalab.at
Wed Jul 1 12:29:51 CEST 2015
#349: metalab.at, lists.metalab.at TLS certificate expires 2015-08-25, renew,
improve!
---------------------------+--------------
Reporter: pepi | Status: new
Keywords: www, tls, ipv6 |
---------------------------+--------------
The TLS certificate for metalab.at and lists.metalab.at expires on
2015-08-25.
To improve things we should use two certificates in the future:
metalab.at with SAN www.metalab.at
lists.metalab.at
Things to do for renewal for each certificate/vHost:
Generate new keys and CSR with SHA256 signature algorithm:
openssl req -nodes -newkey rsa:4096 -keyout metalab.at_2015.key -out
metalab.at_2015.csr -sha256
Get new Server certificate from StartSSL.com with
metalab.at and www.metalab.at as hostnames for the main host.
lists.metalab.at for the list server host.
Generate new DH parameters for Webserver DHE/EDH ciphers for forward
secrecy.
openssl dhparam -out metalab.at_2015_dh4096.pem -2 4096
This may take a good while!
Replace Intermediate Certificate on Server with SHA2 signed one.
Get this one:
https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem
Concatenate leaf and intermediate to chained certificate.
Upgrade Server to Apache 2.4 to fixe LogJam/WeakDH parameter security
issue.
Add HSTS Header to https vHosts:
Strict-Transport-Security: "max-age=15768000 "
Can we add IPv6 while we're at it?
Test the servers with: (Should get an A(+) if everything is correct.)
https://dev.ssllabs.com/ssltest/analyze.html?d=metalab.at&hideResults=on
https://dev.ssllabs.com/ssltest/analyze.html?d=lists.metalab.at&hideResults=on
--
Ticket URL: <https://metalab.at/issues/ticket/349>
Metalab Issues <https://metalab.at/issues>
Metalab is a Hackerspace in Vienna's first district.
More information about the issues
mailing list