Webserver and SSL Setup

The university allows you to get a certificate from the TERENA certification authority free of charge. You can apply for it yourself or, should you need any help, write to unix@fi.muni.cz. Alternatively, you can also use the Let's Encrypt certification authority. Once again, you can contact the authority by yourself or you may use and have your LE certificate issued via unix@fi.

In addition to introducing HTTPS, please make sure the configuration is reasonably secure. To test your configuration, you may use the following tools:

SSL Parameters

The best way is to use the configuration generator available at https://wiki.mozilla.org/Security/Server_Side_TLS. This tool generates configurations based upon the latest cryptographic/security recommendations.

We recommend to test the used configuration using Qualys (see above). You should target Qualys Score A- or A. However, note that some older clients may not support secure enough ciphers when you are targeting score A.

HTTP Strict Transport Security – HSTS

If you are creating a new website, it is particularly important to redirect HTTP to HTTPS straightaway and use a HTTP header—HSTS—which ensures that browsers will access the web exclusively via HTTPS for some time.

If the Apache webserver is used, the configuration would look as follows:

<VirtualHost fqdn.fi.muni.cz:80>
    Redirect permanent / https://fqdn.fi.muni.cz/

<VirtualHost fqdn.fi.muni.cz:443>
    # gradually increase up to max-age=15552000
    Header always set Strict-Transport-Security "max-age=3600;"

The time period for browsers to remember that HTTPS must be used is determined by max-age. To avoid any potential issues, for existing websites it is recommended that you start with a low value which is gradually increased. For instance an hour (3600), a day (86400), a week (604800), a month (2592000), until you get to a period of half a year (15552000).

Other security headers

Besides HSTS you can set up other security HTTP headers (e.g. Content-Security-Policy, X-Frame-Options, ...). There are considerable opportunities but we won't dig into the details here.

For an overview of them and of their deployment testing you can use a tool at Security Headers.