I have had numerous people asking me about using non-letsencrypt/acme SSL certificates provided by sources like Namecheap or other Certificate Authority (CA). So in this blog post I will be describing what I do to secure my private SSL key and limit access to the SSL certificates and directories.
As I will not know what format your SSL certificates and keys are delivered, I will have to assume that have been provided with or can convert the required files into the .crt, .key/pem, and Root CA.
It really doesn't matter where you put your SSL certificates and keys as long as you properly protect your private key file(s). The public certificate is public; no protection needed - server privileges or otherwise.
Here is an example setup:
sudo mkdir /etc/ssl/zen
sudo mkdir /etc/ssl/zen/private
Place SSL files:
Put public SSL certificate(s) along with intermediate certificate(s) in
Put private ssl key(s) in
sudo chown -R root:root /etc/ssl/zen/
sudo chown -R root:ssl-cert /etc/ssl/zen/private/
Note: If you do not have ssl-cert group, ssl-cert can be installed by
sudo apt-get install ssl-cert, or you can just use 'root:root' on line above, or skip the 2nd line.
sudo chmod 644 /etc/ssl/zen/*.crt
sudo chmod 755 /etc/ssl/zen
sudo chmod 640 /etc/ssl/zen/private/*.key
sudo chmod 710 /etc/ssl/zen/private
Note: The group permission is set to READ (640) due to Ubuntu ssl-cert group. '600' is fine as well. (edited)
Note: chmod 710 supports ssl-cert group under Ubuntu. (See comments)
Setting permission to 700 on /etc/ssl/zen/private will also work fine.
Add user account to the ssl-cert group
You will also need to put the account you use to launch
zend into the
ssl-cert group, log out and log back in. The user can be added to the ssl-cert group by running
sudo adduser username ssl-cert
Adding Root CA to the trusted store
While this was covered in detail in this this blog post, I will re-outline briefly again here.
To install a CA into the trusted store
/etc/ssl/certs on ubuntu do the following:
- Create a directory for extra CA certificates in /usr/share/ca-certificates:
sudo mkdir /usr/share/ca-certificates/extra
- Copy the CA .crt file to this directory:
sudo cp yourCA.crt /usr/share/ca-certificates/extra/yourCA.crt
- Let Ubuntu add the .crt file's path relative to /usr/share/ca-certificates to /etc/ca-certificates.conf:
sudo dpkg-reconfigure ca-certificates
Add the paths to the certificate and key in zen.conf
Add the following lines to
Once you have done this, if you already have the zend daemon running, you will need to stop the zend daemon by
zen-cli stop and then restart the daemon by running
Now when you run zen-cli getnetworkinfo you should see "tls_cert_verified": true in the output.
I hope that this blog post helps installing and securing your SSL certificates. Sing out if you need any help either on Slack or down below.