SIGNIFLOW

Discover our signature platform: sign and request signature for your PDFs in a fex clicks!

JOIN OUR AFFILIATE NETWORK

Join our affiliate network
and become a local SSL expert
Learn more about our program

PRODUCTS TO DISCOVER

SSL certificates Invoice signature eIDAS certificates Signature software

Menu
picture of tbs certificates
picture of tbs certificates
Certificates
ALL CERTIFICATES
SSL Extended Validation SSL Standard RGS certificates eIDAS certificates SSL ECC SSL wildcard SSL Multiple sites / SAN Quick and Dirty SSL
Specific certificates VMC certificates
E-signature Strong authentication S/MIME certificates
Test certificates PKI Solutions Trust Seals
SigniFlow: the platform to sign and request signature for your documents
Signature software
Our products range
TBS X509 DigiCert Thawte Sectigo GlobalSign GeoTrust Certigna ChamberSign SigniFlow Harica
Partners
Client login Customer accounts Open an account
Support
FAQ SHA256: Browsers' compatibility ECC: Browsers' compatibility
Focus
Invoices dematerialization
We now provide solutions compliant with RGS** and eIDAS qualified standards for invoices signature and time stamping. Further information


Certificate mangement for Lighthttpd

Private Key and CSR Generation

You can find our private key and CSR generation documentation for openssl. Lighthttpd's configuration directory is usually /etc/lighthttpd/

Installing a Certificate

To enable SSL/TLS, you need to add the following instructions, either to your global configuration or to your socket block, listening to port 443. The socket block configuration is inherited from the global configuration. Here's an example for a socket block: 
  $SERVER["socket"] == ":443" {
      ssl.engine                  = "enable"
      ssl.pemfile                 = "/etc/lighttpd/ssl/www.example.org.pem" 
      ssl.ca-file                 = "/etc/lighttpd/ssl/www.example.org-chain.pem"

      #Désactivation des protocoles obsolètes
      ssl.use-sslv2               = "disable" #Useful for lighttpd < 1.4.21
      ssl.use-sslv3               = "disable" #Available from lighttpd >= 1.4.29

      #Choix des ciphers
      ssl.honor-cipher-order      = "enable" #enabled by default
      ssl.cipher-list             = "!EDH:!RC4:!ADH:!DSS:HIGH:+AES128:+AES256-SHA256:+AES128-SHA256:+SHA:!3DES" 
  
      #Paramètres DH et ECDH (Available from lighttpd >= 1.4.29)
      ssl.dh-file                 = "/etc/lighttpd/ssl/dhparams.pem" #Requires generating the file. See our security recommendations.
      ssl.ec-curve                = "secp384r1"


      #Security headers (HSTS, frames, et nosniff)
      setenv.add-response-header = (
        "Strict-Transport-Security" => "max-age=63072000; includeSubdomains; preload",
        "X-Frame-Options" => "DENY",
        "X-Content-Type-Options" => "nosniff"
      )
    }
This .pem file must contain your privatekey and your certificate. If you have separate files, you need to concatenate them, i.e.: 
cat www.example.org.key www.example.org.crt > www.example.org.pem
You should also restrain access to this file, only to the lighthttpd user: 
chmod 400 /etc/lighttpd/ssl/example.org.pem

SNI

If you have multiple site/domain nams, you will need to configure SNI to use the right certificate per site: 
  $SERVER["socket"] == ":443" {
      ssl.pemfile = "/etc/lighttpd/ssl/the-default-domain.com.pem"

      $HTTP["host"] == "www.example.org" {
          ssl.pemfile = "/etc/lighttpd/www.example.org.pem"
      }

      $HTTP["host"] == "mail.example.org" {
          ssl.pemfile = "/etc/lighttpd/mail.example.org.pem"
      }
  }

Security recommendations

Strong Diffie-Hellman parameters

These options are only available for lighthttpd >= 1.4.29. We recommend generating strong and unique DH groups to your machine to increase its security. To do so, run the following command and place its result in a folder accessible by the web server: 
  openssl dhparam -out dhparams.pem 2048
You can then add this file to your SSL configuration: 
  ssl.dh-file                 = "/etc/lighttpd/ssl/dhparams.pem"
We also recommend choosing a strong curve for ECDH: 
  ssl.ec-curve                = "secp384r1"

Disable TLS compression

By default, TLS compression should be disabled. However, if it had been disabled at compiling, you can disble it using the following line: 
ssl.use-compression           = "disable"

Enable HSTS

The HTTP Strict Transport Security allows you to make sure your users keep using HTTPS once a connection has been established. To enable it, add the following header: 
  setenv.add-response-header = (
      "Strict-Transport-Security" => "max-age=63072000; includeSubdomains; preload"
  )
We also recommend securing your frames and limiting MIME sniffing: 
setenv.add-response-header = (
    "Strict-Transport-Security" => "max-age=63072000; includeSubdomains; preload",
    "X-Frame-Options" => "DENY",
    "X-Content-Type-Options" => "nosniff"
)

See also