Learning how to make SSL on HSHub for Handshake domains


Want to have an SSL on your Handshake site? Like we did for handshake.conference?

handshake-conference-on-ssl

Then let’s dive in today!

Many of you enjoyed the video we did with Matt Zipkin on DANE and security (check it out here - 999999 skyinclude.com/dane) - and I feel guilty but most of the sites we have on Handshake still are not secure.

Another reference - is using Cloudways - we have a video on that here - https://skyinclude.com/setup-handshake-domain-names-using-cloudways/

With HandyCon 2 coming in less than 2 weeks, and people asking for it to have SSL - there is perfect timing that I found out the new HShub (you can watch our video and guide at skyinclude.com/hshub) has the ability for your to do SSL.

Check out the Twitter exchange

https://twitter.com/MatthewZipkin/status/1500088996977860610?t=FntE0Le0zQxL-nrvdPPZGg&s=19

handshake-conference-on-ssl

https://gist.github.com/buffrr/609285c952e9cb28f76da168ef8c2ca6

EPIC!

So let’s learn this together. The theme of the SkyInclude channel is coming to life yet again.


So we need to create the certificate and then add the TSLA record, which HShub supports:

hshub-dns

So we need to create this certificate, and following the guide from buffrr: https://gist.github.com/buffrr/609285c952e9cb28f76da168ef8c2ca6

openssl req -x509 -newkey rsa:4096 -sha256 -days 365 -nodes \
  -keyout cert.key -out cert.crt -extensions ext  -config \
  <(echo "[req]"; 
    echo distinguished_name=req; 
    echo "[ext]";
    echo "keyUsage=critical,digitalSignature,keyEncipherment";
    echo "extendedKeyUsage=serverAuth";
    echo "basicConstraints=critical,CA:FALSE";
    echo "subjectAltName=DNS:example.com,DNS:*.example.com";
    ) -subj "/CN=*.example.com"

generate tlsa cert

We need to input:

Generate the TLSA record rdata (you can also use this tool):

TLSA Record Generator

Not Using Cloudways?

If you're not using Cloudways, you need to set up a small Linux server with apache2 or Nginx. Then you need to upload the certificates or generate them directly on the server. Then configure the apache2 or Nginx site configuration (/etc/ngninx/sites-available/sld.conf) to use SSL using the certificates generated.