TLS / HTTPS Basics
HTTPS = HTTP over TLS. TLS gives three guarantees: encryption, integrity, and identity (the cert proves you're talking to who you think).
1 credit
Handshake (simplified)
- 1. Client says hello, lists supported ciphers.
- 2. Server responds with its certificate + chosen cipher.
- 3. Client verifies cert chain against trusted root CAs (Mozilla/system store).
- 4. They agree on a symmetric session key (via ECDHE key exchange).
- 5. Encrypted traffic flows, symmetric from here on (fast).
Certificates
4 itemsCommon Name (CN) / SAN
Which domains the cert is valid for. SANs list multiple.Chain
Leaf → intermediate(s) → root CA. Always serve full chain — missing intermediates = 'not secure' in some clients.Expiry
LE certs are 90 days; use cert-manager/certbot auto-renewal.Wildcard
`*.example.com` — one level deep only. `*.*.example.com` is not valid.Let's Encrypt (free, automated)
bash
# Standalone (stops nginx briefly) sudo certbot certonly --standalone -d example.com -d www.example.com # With nginx plugin (auto-configures) sudo certbot --nginx -d example.com # Auto-renew (systemd timer is auto-installed) sudo certbot renew --dry-run
Hardening
- Disable TLS 1.0 / 1.1. Use TLS 1.2 + 1.3 only.
- HSTS header: `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`.
- Configure cipher list via Mozilla SSL Config Generator — don't handcraft.
- Test with ssllabs.com/ssltest — grade A+ is the bar.