Greets again,

I have had numerous people asking me about using non-letsencrypt/acme SSL certificates provided by sources like Namecheap or other Certificate Authority (CA). So in this blog post I will be describing what I do to secure my private SSL key and limit access to the SSL certificates and directories.

As I will not know what format your SSL certificates and keys are delivered, I will have to assume that have been provided with or can convert the required files into the .crt, .key/pem, and Root CA.

It really doesn't matter where you put your SSL certificates and keys as long as you properly protect your private key file(s). The public certificate is public; no protection needed - server privileges or otherwise.

Here is an example setup:

Create directories:

sudo mkdir /etc/ssl/zen
sudo mkdir /etc/ssl/zen/private

Place SSL files:

Put public SSL certificate(s) along with intermediate certificate(s) in /etc/ssl/zen
Put private ssl key(s) in /etc/ssl/zen/private

Set permissions:

Public Certificate(s)
sudo chmod 644 /etc/ssl/zen/*.crt
sudo chmod 755 /etc/ssl/zen

Private Key(s)
sudo chmod 640 /etc/ssl/zen/private/*.key
sudo chmod 710 /etc/ssl/zen/private
Note: The group permission is set to READ (640) due to Ubuntu ssl-cert group. '600' is fine as well. (edited)
Note: chmod 710 supports ssl-cert group under Ubuntu. (See comments)
Setting permission to 700 on /etc/ssl/zen/private will also work fine.

Set owner:

sudo chown -R root:root /etc/ssl/zen/
sudo chown -R root:ssl-cert /etc/ssl/zen/private/
Note: If you do not have ssl-cert group, ssl-cert can be installed by sudo apt-get install ssl-cert, or you can just use 'root:root' on line above, or skip the 2nd line.

Add user account to the ssl-cert group

You will also need to put the account you use to launch zend into the ssl-cert group, log out and log back in. The user can be added to the ssl-cert group by running sudo adduser username ssl-cert

Adding Root CA to the trusted store

While this was covered in detail in this this blog post, I will re-outline briefly again here.

To install a CA into the trusted store /etc/ssl/certs on ubuntu do the following:

  1. Create a directory for extra CA certificates in /usr/share/ca-certificates:
    sudo mkdir /usr/share/ca-certificates/extra
  2. Copy the CA .crt file to this directory:
    sudo cp yourCA.crt /usr/share/ca-certificates/extra/yourCA.crt
  3. Let Ubuntu add the .crt file's path relative to /usr/share/ca-certificates to /etc/ca-certificates.conf:
    sudo dpkg-reconfigure ca-certificates

Add the paths to the certificate and key in zen.conf

Add the following lines to ~/.zen/zen.conf:

tlskeypath=/etc/ssl/zen/private/yourkey.key
tlscertpath=/etc/ssl/zen/your_cert.crt

Once you have done this, if you already have the zend daemon running, you will need to stop the zend daemon by zen-cli stop and then restart the daemon by running zend.

Now when you run zen-cli getnetworkinfo you should see "tls_cert_verified": true in the output.

I hope that this blog post helps installing and securing your SSL certificates. Sing out if you need any help either on Slack or down below.