SSL Certificates
Secure your websites with HTTPS encryption on TinyBox VPS
Why SSL Certificates Matter
Security
Encrypts data between users and your server
SEO Boost
Google ranks HTTPS sites higher
Trust
Browser security indicators build user confidence
1
Let's Encrypt - Free SSL Certificates
✓ Recommended for Most Users
Let's Encrypt provides free, automated SSL certificates that are trusted by all major browsers.
Install Certbot
# Update system
apt update && apt upgrade -y
# Install snapd (if not already installed)
apt install snapd -y
# Install Certbot via snap (recommended method)
snap install --classic certbot
# Create symbolic link
ln -s /snap/bin/certbot /usr/bin/certbot
# Alternative: Install via apt (older versions)
# apt install certbot python3-certbot-nginx python3-certbot-apache -yObtain SSL Certificate - Apache
# For Apache - automatic configuration
certbot --apache
# For specific domains
certbot --apache -d yourdomain.com -d www.yourdomain.com
# Test-only mode (don't actually get certificate)
certbot --apache --dry-run -d yourdomain.comObtain SSL Certificate - Nginx
# For Nginx - automatic configuration
certbot --nginx
# For specific domains
certbot --nginx -d yourdomain.com -d www.yourdomain.com
# Test-only mode
certbot --nginx --dry-run -d yourdomain.comManual Certificate (Advanced)
# Manual certificate (requires manual web server configuration)
certbot certonly --webroot -w /var/www/yourdomain.com/html -d yourdomain.com -d www.yourdomain.com
# Using standalone method (stops web server temporarily)
certbot certonly --standalone -d yourdomain.com -d www.yourdomain.com
# DNS challenge (for domains without web server)
certbot certonly --manual --preferred-challenges dns -d yourdomain.com2
Certificate Management
Check Certificate Status
# List all certificates
certbot certificates
# Check certificate expiration
openssl x509 -in /etc/letsencrypt/live/yourdomain.com/fullchain.pem -noout -dates
# Check certificate from browser perspective
echo | openssl s_client -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -datesRenew Certificates
# Test renewal (dry run)
certbot renew --dry-run
# Force renewal for specific certificate
certbot renew --cert-name yourdomain.com
# Renew all certificates
certbot renew
# Check automatic renewal status
systemctl status certbot.timer
systemctl list-timers | grep certbotRevoke and Delete Certificates
# Revoke certificate (if compromised)
certbot revoke --cert-path /etc/letsencrypt/live/yourdomain.com/cert.pem
# Delete certificate completely
certbot delete --cert-name yourdomain.com
# Clean up unused certificates
certbot certificates
# Follow prompts to remove expired/unused certsRenewal Rate Limits
Let's Encrypt has rate limits: 50 certificates per domain per week. Always test with --dry-run first!
3
Manual SSL Configuration
Apache SSL Virtual Host
# Enable SSL module
a2enmod ssl
a2enmod headers
# Create SSL virtual host (/etc/apache2/sites-available/yourdomain.com-ssl.conf)
<VirtualHost *:443>
ServerName yourdomain.com
ServerAlias www.yourdomain.com
DocumentRoot /var/www/yourdomain.com/html
# SSL Configuration
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/yourdomain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/yourdomain.com/chain.pem
# Modern SSL configuration
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
# Security headers
Header always set Strict-Transport-Security "max-age=63072000"
Header always set X-Content-Type-Options nosniff
Header always set X-Frame-Options DENY
Header always set X-XSS-Protection "1; mode=block"
</VirtualHost>
# Redirect HTTP to HTTPS
<VirtualHost *:80>
ServerName yourdomain.com
ServerAlias www.yourdomain.com
Redirect permanent / https://yourdomain.com/
</VirtualHost>Nginx SSL Configuration
# Nginx SSL server block (/etc/nginx/sites-available/yourdomain.com)
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name yourdomain.com www.yourdomain.com;
root /var/www/yourdomain.com/html;
index index.html index.php;
# SSL Configuration
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
# Modern SSL configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/yourdomain.com/chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
# Security headers
add_header Strict-Transport-Security "max-age=63072000" always;
add_header X-Content-Type-Options nosniff always;
add_header X-Frame-Options DENY always;
add_header X-XSS-Protection "1; mode=block" always;
location / {
try_files $uri $uri/ =404;
}
}4
Commercial SSL Certificates
When to Use Commercial SSL
- • Extended Validation (EV) certificates for maximum trust
- • Organization Validation (OV) for business identity
- • Wildcard certificates for multiple subdomains
- • Insurance/warranty coverage requirements
- • 24/7 commercial support needs
Generate Certificate Signing Request (CSR)
# Generate private key
openssl genrsa -out yourdomain.com.key 2048
# Generate CSR
openssl req -new -key yourdomain.com.key -out yourdomain.com.csr
# You'll be prompted for:
# Country Name: US
# State: Your State
# City: Your City
# Organization Name: Your Company
# Organizational Unit: IT Department
# Common Name: yourdomain.com (IMPORTANT!)
# Email Address: [email protected]
# Challenge password: (leave blank)
# Optional company name: (leave blank)
# View CSR content
cat yourdomain.com.csrInstall Commercial Certificate
# Create SSL directory
mkdir -p /etc/ssl/certs/yourdomain.com
cd /etc/ssl/certs/yourdomain.com
# Upload certificate files from CA:
# 1. yourdomain.com.crt (your certificate)
# 2. intermediate.crt (intermediate certificate)
# 3. yourdomain.com.key (private key - keep secure!)
# Create certificate bundle
cat yourdomain.com.crt intermediate.crt > yourdomain.com-bundle.crt
# Set proper permissions
chmod 644 *.crt
chmod 600 yourdomain.com.key
chown root:root *DV Certificate
Domain Validated - Basic encryption, automated validation
$10-50/year • Similar to Let's Encrypt
OV Certificate
Organization Validated - Shows company info
$50-200/year • Business identity
EV Certificate
Extended Validation - Green address bar
$200-1000/year • Maximum trust
SSL Testing and Optimization
Test Your SSL Configuration
Online SSL Testing
- • SSL Labs: ssllabs.com/ssltest
- • SSL Checker: sslchecker.com
- • Security Headers: securityheaders.com
SSL Grade Targets
A+
Perfect configuration
A
Strong security
B
Good (needs improvement)
Command Line SSL Testing
# Test SSL connection
openssl s_client -connect yourdomain.com:443
# Check certificate expiration
echo | openssl s_client -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates
# Test specific SSL/TLS versions
openssl s_client -connect yourdomain.com:443 -tls1_2
openssl s_client -connect yourdomain.com:443 -tls1_3
# Check cipher suites
nmap --script ssl-enum-ciphers -p 443 yourdomain.com
SSL Performance Optimization
Apache Optimization
# Enable SSL session caching
SSLSessionCache shmcb:logs/ssl_scache(512000)
SSLSessionCacheTimeout 300
# Enable OCSP Stapling
SSLUseStapling On
SSLStaplingCache shmcb:logs/ssl_stapling(32768)
Nginx Optimization
# SSL session caching
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
# Enable HTTP/2
listen 443 ssl http2;
Wildcard and Multi-Domain Certificates
Wildcard Certificate (*.domain.com)
# Wildcard certificate requires DNS challenge
certbot certonly --manual --preferred-challenges dns -d yourdomain.com -d *.yourdomain.com
# Add DNS TXT record when prompted:
# _acme-challenge.yourdomain.com TXT "verification_string"
# Verify DNS record before continuing:
dig TXT _acme-challenge.yourdomain.com
# Continue certbot process after DNS record is live
Multi-Domain (SAN) Certificate
# Certificate for multiple domains
certbot --nginx -d domain1.com -d www.domain1.com -d domain2.com -d www.domain2.com
# Or using webroot method
certbot certonly --webroot \
-w /var/www/domain1.com/html -d domain1.com -d www.domain1.com \
-w /var/www/domain2.com/html -d domain2.com -d www.domain2.com
DNS Challenge Requirements
Wildcard certificates require DNS TXT record validation. Ensure you have access to your domain's DNS settings before starting.
Common Issues & Solutions
Certificate not trusted / Invalid certificate
Check certificate chain and intermediate certificates:
# Check certificate chain
openssl s_client -connect yourdomain.com:443 -showcerts
# Verify intermediate certificate is included
openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt /path/to/cert.pem
Mixed content warnings
Ensure all resources (images, CSS, JS) use HTTPS:
# Check for mixed content
grep -r "http://" /var/www/yourdomain.com/html/
# Use relative URLs or protocol-relative URLs
<img src="//example.com/image.jpg">
Certificate about to expire
Check auto-renewal and manually renew if needed:
# Check renewal timer
systemctl list-timers | grep certbot
# Force renewal
certbot renew --force-renewal
# Test renewal process
certbot renew --dry-run
Rate limit exceeded
Let's Encrypt has strict rate limits:
# Check rate limit status at:
# https://crt.sh/?q=yourdomain.com
# Use staging environment for testing:
certbot --staging --nginx -d yourdomain.com
✓ SSL Security Checklist
- ✓ TLS 1.2+ only (disable older versions)
- ✓ Strong cipher suites
- ✓ HSTS header enabled
- ✓ HTTP to HTTPS redirect
- ✓ OCSP Stapling enabled
- ✓ Auto-renewal configured
- ✓ A+ SSL Labs rating
- ✓ No mixed content warnings