Below is common tips to use SSL certificate.
1. Checking your certificate health
To check if your certificate install correctly ? online tool like Qualys SSL lab can help.
2. Download bundle file from your CA
Your CA provider may has tool to check if your certificate is install successfully. Some case installation is not correct you can download bundle file from test result.
Namecheap SSL Checker : https://decoder.link/sslchecker/
2. Other common setting to enable
– Session reuse
Session reuse is one of the most important mechanism to improve TLS performance: by submitting an appropriate blob to the server, a client is able to trigger an abbreviated handshake, improving latency and computation time.
# Enable cache ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m;
– Forward Secrecy
Perfect Forward Secrecy, which is sometimes just referred to as Forward Secrecy, is a method of ensuring that all transactions sent over the Internet are secure. This method of encryption prevents a hacker from being able to access data from a group of transactions even if they’re able to hack the encryption for a single communication sent over the web.
# Enable Forward secrecy settings ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
– OCSP stapling
OCSP stapling can be used to enhance the OCSP protocol by letting the webhosting site be more proactive in improving the client (browsing) experience. OCSP stapling allows the certificate presenter (i.e. web server) to query the OCSP responder directly and then cache the response. This securely cached response is then delivered with the TLS/SSL handshake via the Certificate Status Request extension response, ensuring that the browser gets the same response performance for the certificate status as it does for the website content.
OCSP stapling addresses a privacy concern with OCSP because the CA no longer receives the revocation requests directly from the client (browser). OCSP stapling also addresses concerns about OCSP SSL negotiation delays by removing the need for a separate network connection to a CA’s responders.
# Enable OCSP Stapling ssl_stapling on; ssl_stapling_verify on;