Symbiosis.host
Get Started
Intermediate
30 mins

SSL Configuration

Learn how to properly configure SSL certificates, implement secure HTTPS, and manage certificate lifecycles for your applications.

Prerequisites

  • Domain name with DNS access
  • Basic understanding of HTTPS
  • Server administration knowledge
  • Familiarity with security concepts

SSL Configuration Overview

SSL Configuration Workflow

Visual representation of SSL certificate setup and configuration process.

1

SSL Certificate Setup

Configure SSL certificates for your domains:

// SSL certificate configuration
const sslConfig = {
  // Certificate settings
  certificate: {
    type: 'RSA',
    keySize: 2048,
    validity: 90, // days
    commonName: 'example.com',
    altNames: ['www.example.com', '*.example.com']
  },

  // ACME client configuration
  acme: {
    provider: 'letsencrypt',
    environment: 'production',
    email: '[email protected]',
    agreeTos: true
  },

  // Certificate chain
  chain: {
    fullchain: true,
    preferredChain: 'ISRG Root X1'
  }
};

// Generate certificate
const generateCert = async () => {
  const acme = new ACMEClient(sslConfig.acme);
  
  // Create CSR
  const [key, csr] = await acme.createCsr({
    commonName: sslConfig.certificate.commonName,
    altNames: sslConfig.certificate.altNames
  });
  
  // Get certificate
  const cert = await acme.getCertificate(csr);
  
  return {
    key,
    cert,
    chain: await acme.getCertificateChain(cert)
  };
};
2

SSL Implementation

Implement SSL in your application:

// HTTPS server configuration
const https = require('https');
const fs = require('fs');

const httpsOptions = {
  key: fs.readFileSync('private.key'),
  cert: fs.readFileSync('certificate.crt'),
  ca: fs.readFileSync('chain.pem'),
  
  // Modern SSL configuration
  minVersion: 'TLSv1.2',
  ciphers: [
    'TLS_AES_128_GCM_SHA256',
    'TLS_AES_256_GCM_SHA384',
    'TLS_CHACHA20_POLY1305_SHA256',
    'ECDHE-ECDSA-AES128-GCM-SHA256',
    'ECDHE-RSA-AES128-GCM-SHA256',
    'ECDHE-ECDSA-AES256-GCM-SHA384',
    'ECDHE-RSA-AES256-GCM-SHA384'
  ].join(':'),
  
  // HSTS configuration
  strictTransportSecurity: {
    maxAge: 31536000,
    includeSubDomains: true,
    preload: true
  }
};

// Create HTTPS server
const server = https.createServer(httpsOptions, app);

// Redirect HTTP to HTTPS
app.use((req, res, next) => {
  if (!req.secure) {
    return res.redirect(`https://${req.headers.host}${req.url}`);
  }
  next();
});
3

SSL Security Headers

Configure security headers for SSL:

// Security headers middleware
app.use((req, res, next) => {
  // HSTS
  res.setHeader(
    'Strict-Transport-Security',
    'max-age=31536000; includeSubDomains; preload'
  );
  
  // Content Security Policy
  res.setHeader(
    'Content-Security-Policy',
    "default-src 'self'; " +
    "script-src 'self' 'unsafe-inline' 'unsafe-eval'; " +
    "style-src 'self' 'unsafe-inline'; " +
    "img-src 'self' data: https:; " +
    "upgrade-insecure-requests;"
  );
  
  // Expect-CT
  res.setHeader(
    'Expect-CT',
    'enforce, max-age=30'
  );
  
  // Other security headers
  res.setHeader('X-Content-Type-Options', 'nosniff');
  res.setHeader('X-Frame-Options', 'DENY');
  res.setHeader('X-XSS-Protection', '1; mode=block');
  res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
  
  next();
});
4

Certificate Management

Implement certificate lifecycle management:

// Certificate manager
const certManager = {
  async monitor() {
    const certs = await this.listCertificates();
    
    for (const cert of certs) {
      const daysUntilExpiry = this.getDaysUntilExpiry(cert);
      
      if (daysUntilExpiry <= 30) {
        await this.renewCertificate(cert);
      }
      
      if (daysUntilExpiry <= 7) {
        await this.sendAlert('Certificate expiring soon', {
          domain: cert.domain,
          expiryDate: cert.expiryDate
        });
      }
    }
  },
  
  async renewCertificate(cert) {
    try {
      const newCert = await generateCert();
      await this.installCertificate(newCert);
      await this.reloadServer();
      
      await this.logEvent('certificate_renewal', {
        domain: cert.domain,
        status: 'success'
      });
    } catch (error) {
      await this.sendAlert('Certificate renewal failed', {
        domain: cert.domain,
        error: error.message
      });
    }
  }
};

Best Practices

Certificate Management

Best practices for SSL certificates:

  • Use strong key sizes
  • Implement auto-renewal
  • Monitor expiration
  • Maintain certificate chain

Security Configuration

Secure SSL implementation:

  • Enable HSTS
  • Configure security headers
  • Use modern TLS versions
  • Implement CSP

Performance

Optimize SSL performance:

  • Enable session resumption
  • Use OCSP stapling
  • Configure cipher suites
  • Enable HTTP/2

Common Issues

Certificate Issues

Common certificate problems:

  • Certificate expiration
  • Chain validation errors
  • Domain mismatch
  • Private key issues

Configuration Issues

Setup-related challenges:

  • Mixed content warnings
  • Protocol errors
  • Cipher suite problems
  • Performance impact

Next Steps

Now that you understand SSL configuration, explore these related topics:

← DNS Management Next: Security →