A confident deployment guide for TLS and PKI
Explore our guide
In this guide

Preface

Our journey to achieving good network transport security has been long and fraught with difficulties. In the 1990s—when this story began with the early versions of SSL and the Netscape browser—the main challenges were lack of good encryption standards, restrictions on the export of cryptography, and insufficiently powerful computer chips. It took us a good three decades to work through these problems. During that period, a few things improved. The export restrictions went away and computers became faster. A few other things became worse, chiefly because the web platform continued to evolve organically without sufficient thought given to security.

But we collectively kept chipping away at the problems, eventually figuring out what secure network protocols should look like and what kind of security we’d like to have. We figured out that we don’t have to configure each and every server individually and that we can instead rely on the secure and sane defaults now available. We also figured out that we don’t need to manually rotate every single certificate and that automation can achieve much better results with far less time and effort.

At some point, the threads of our progress started to converge, and there is now a feeling that transport security is within our reach. Your reach. Things are significantly better, but we’re not quite there just yet. The field remains complex and filled with many moving parts that need to be accounted for. Some assembly is required.

The guide that’s in front of you has been designed to get you over the finish line. If you follow the assembly instructions specified herein, you will be able to deploy TLS and PKI with confidence. Yes, there will still be things you’ll need to figure out, but the path should at least be predictable and easy to follow.

I have been involved with SSL/TLS and PKI in some form since the early days, but especially in the last two decades, focusing my efforts on what I sometimes like to call the last mile of transport security. My work consisted chiefly of researching the field and communicating my findings in various forms.

For example, SSL Labs, one of my earlier projects, provided free assessments of SSL/TLS and PKI configuration and ended up being fairly successful. It happened to be right there when the world decided to start caring about such things, roughly around the time of Heartbleed. (Look it up.) In the end, SSL Labs helped improve the security of millions of web sites, and I’m very happy with that. These days, you’re probably better off taking a look at my followup project, Hardenize, which helps with problems related to a wider range of network and security standards.

Most of what I learned has been recorded in my book Bulletproof TLS and PKI, which I’ve been continuously writing and publishing for about a decade now. You should definitely read it if you’re involved with computer security, software development, or system administration. But even if you don’t have time for that, this guide will tell you everything you need to know. In fact, this guide has been taken directly from my book and published stand-alone for the very purpose of being easily available to a large audience.

- Ivan Ristić

LinkedInInstagram