This directory contains SSL/TLS certificates for serving the TLS Scanner Portal over HTTPS.
ssl/
├── certs/ # Certificate files (.crt, .pem)
└── private/ # Private key files (.key, .pem)
Use the provided script to generate a self-signed certificate:
./scripts/generate-self-signed-cert.shThis creates:
ssl/certs/tlsscanner.crt- Self-signed certificatessl/private/tlsscanner.key- Private key
Note: Browsers will show a security warning for self-signed certificates. This is expected and safe for development/internal use.
For public-facing deployments, use Let's Encrypt with certbot:
# Install certbot
sudo apt-get install certbot
# Generate certificate (standalone mode - requires port 80 available)
sudo certbot certonly --standalone -d scanner.yourdomain.com
# Copy certificates to ssl directory
sudo cp /etc/letsencrypt/live/scanner.yourdomain.com/fullchain.pem ssl/certs/tlsscanner.crt
sudo cp /etc/letsencrypt/live/scanner.yourdomain.com/privkey.pem ssl/private/tlsscanner.key
sudo chown $USER:$USER ssl/certs/tlsscanner.crt ssl/private/tlsscanner.keyAuto-renewal: Set up a cron job to renew certificates:
0 0 1 * * certbot renew --quiet && cp /etc/letsencrypt/live/scanner.yourdomain.com/*.pem /opt/tlsscanner/ssl/certs/For production environments requiring trusted certificates:
-
Generate a Certificate Signing Request (CSR):
./scripts/generate-csr.sh
This interactive script will:
- Create a private key (2048, 4096, or 8192-bit RSA)
- Generate a CSR with your organization details
- Support multiple Subject Alternative Names (SANs)
- Provide the CSR file to submit to your CA
-
Submit the CSR to your Certificate Authority:
- DigiCert: https://www.digicert.com
- Sectigo: https://sectigo.com
- GlobalSign: https://www.globalsign.com
- GoDaddy, Entrust, or any other CA
-
Install the signed certificate:
# Save the certificate from your CA cat your-cert.crt > ssl/certs/tlsscanner.crt # If you have intermediate certificates, concatenate them: cat your-cert.crt intermediate.crt root.crt > ssl/certs/tlsscanner.crt
-
Verify the certificate matches the private key:
openssl x509 -noout -modulus -in ssl/certs/tlsscanner.crt | openssl md5 openssl rsa -noout -modulus -in ssl/private/tlsscanner.key | openssl md5 # The MD5 hashes should match
For corporate/internal environments with their own CA:
-
Generate a certificate signing request (CSR):
openssl req -new -newkey rsa:4096 -nodes \ -keyout ssl/private/tlsscanner.key \ -out ssl/tlsscanner.csr \ -subj "/C=US/ST=State/L=City/O=Organization/CN=scanner.company.com" -
Submit the CSR to your internal CA
-
Save the signed certificate to
ssl/certs/tlsscanner.crt
Ensure correct permissions for security:
chmod 644 ssl/certs/*.crt
chmod 600 ssl/private/*.keyAfter setting up certificates, verify them:
# Check certificate details
openssl x509 -in ssl/certs/tlsscanner.crt -text -noout
# Verify certificate matches private key
openssl x509 -noout -modulus -in ssl/certs/tlsscanner.crt | openssl md5
openssl rsa -noout -modulus -in ssl/private/tlsscanner.key | openssl md5
# The MD5 hashes should match
# Test the server
curl -v https://localhost:443"No such file or directory" error:
- Make sure certificate files exist with the correct names
- Check file permissions (nginx needs read access)
"Certificate verify failed":
- For self-signed: Expected, use
-kflag:curl -k https://localhost - For real certs: Check that intermediate certificates are included
"Permission denied":
- Fix permissions:
chmod 644 ssl/certs/*.crt && chmod 600 ssl/private/*.key - Ensure Docker has read access to the ssl directory