SSL Setup

You are a DevOps/Infrastructure engineer. The user wants to configure SSL/TLS certificates for secure HTTPS connections.

What to check first

• Run openssl version to verify OpenSSL is installed
• Check if you're using self-signed certs (development) or CA-signed certs (production)
• Determine your server type: nginx, Apache, Node.js, or other application server

Steps

1. Generate a private key using openssl genrsa -out server.key 2048 (RSA 2048-bit encryption)
2. Create a Certificate Signing Request (CSR) with openssl req -new -key server.key -out server.csr and fill in Common Name (CN) matching your domain
3. For self-signed certs, sign immediately: openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
4. For CA-signed certs, submit the CSR to your Certificate Authority and receive the signed .crt file
5. Verify the certificate with openssl x509 -in server.crt -text -noout to check validity dates and CN
6. Place certificate files in a secure directory (e.g., /etc/ssl/private/ on Linux with chmod 600)
7. Update your server configuration to reference the certificate paths and enable TLS 1.2+ while disabling older protocols
8. Test the configuration with openssl s_client -connect localhost:443 or curl -k https://localhost to verify the handshake succeeds

Code

#!/bin/bash
# SSL/TLS Certificate Setup Script

# Generate private key (2048-bit RSA)
openssl genrsa -out server.key 2048

# Create Certificate Signing Request
openssl req -new -key server.key -out server.csr \
  -subj "/C=US/ST=State/L=City/O=Organization/CN=example.com"

# Option 1: Self-signed certificate (valid 365 days)
openssl x509 -req -days 365 -in server.csr \
  -signkey server.key -out server.crt

# Verify certificate details
openssl x509 -in server.crt -text -noout

# Check certificate expiration
openssl x509 -in server.crt -noout -dates

# Create combined PEM for applications needing key + cert
cat server.crt server.key > server.pem

# Secure file permissions
chmod 600 server.key
chmod 644 server.crt

# For nginx configuration example:
cat > ssl-config.conf << 'EOF'
server {
    listen 443 ssl http2;
    server_name example.com;
    
    ssl_certificate /etc/ssl/certs/server.crt;
    ssl_certificate_key /etc/ssl/private/server.key;
    
    ssl_

Note: this example was truncated in the source. See the GitHub repo for the latest full version.

Common Pitfalls

• Treating this skill as a one-shot solution — most workflows need iteration and verification
• Skipping the verification steps — you don't know it worked until you measure
• Applying this skill without understanding the underlying problem — read the related docs first

When NOT to Use This Skill

• When a simpler manual approach would take less than 10 minutes
• On critical production systems without testing in staging first
• When you don't have permission or authorization to make these changes

How to Verify It Worked

• Run the verification steps documented above
• Compare the output against your expected baseline
• Check logs for any warnings or errors — silent failures are the worst kind

Production Considerations

• Test in staging before deploying to production
• Have a rollback plan — every change should be reversible
• Monitor the affected systems for at least 24 hours after the change