Posted on Fri 22 May 2015

server security certificate semi-pro tips

Unless you have a good reason not to do so, the services you run on your server should be encrypted. For the last few years, and probably the next few, that means you need a security certificate, commonly called an SSL cert, even though we just stopped using SSL in favor of TLS, which is exactly the same but slightly more advanced.

(You don’t run a server? OK, the services that you access should be encrypted. It’s the moral equivalent of sending letters in sealed envelopes instead of postcards: you do it even when it doesn’t matter much, because that way you don’t accidentally forget and send a hundred dollars to your friend by taping it to a postcard. The rest of this post is for people running servers – mostly, people who run one or two servers as a hobby or small business. I expect the professionals to already know all this.)

(But some don’t.)

Sometime in the next few months, you’ll be able to get a domain-validated SSL certificate for free from Let’s Encrypt. “Domain-validated” means that the only security check that was performed is that the issuing authority – the CA, Certificate Authority – confirmed that the domain name verified by the certificate is used by the requestor. Some people say “is controlled by the requestor”, but what it mostly means is that you can receive email addressed to postmaster@yourdomain.com. Let’s Encrypt will have a slightly more complicated (and automated) scheme, but it won’t be more traceable than that.

If you aren’t running a significant business from your server, Let’s Encrypt certificates are going to be your first choice. Unfortunately, they aren’t available quite yet. What should you do in the mean time?

If your budget is strictly limited, go over to StartSSL and register for a free 1 year certificate. You’ll have to jump through some hoops, but you will get a certificate trusted by all major browsers, and you shouldn’t have to deal with them again. Let’s Encrypt should be up in the course of the next year.

Let’s say you have a small but non-zero budget, and StartSSL is out for some reason – say, you have already dealt with them and they don’t want to help you out any more. For nine bucks you can get a Comodo PositiveSSL cert from any number of resellers. I recommend you use NameCheap, partially because they’re cheap for most of their products, and partially because I have found them to be very reliable and pretty quick. And unlike StartSSL, their website works on weekends.

Presumably you’re going to want to secure www.yourdomain.com, or what have you. Here’s my advice: apply for yourdomain.com instead, assuming that you own it. Comodo will automatically extend the certificate that they give you to cover www.yourdomain.com as well.

If you’ve done all that, good. Make sure your operating system and server software are running the latest available versions, and read up on current threats. You can run a test at SSL Labs to get a really complete evaluation of how you’re doing – there’s no reason why you can’t score an A or A+ if you read their HowTo docs.


© -dsr-. Send feedback or comments via email — by continuing to use this site you agree to certain terms and conditions.

Built using Pelican. Derived from the svbhack theme by Giulio Fidente on github.