OpenClaw LaunchOpenClaw Launch
🔒

SSL Certificate Guide

Verified

by Community

Guides SSL/TLS certificate selection, installation, renewal automation, and troubleshooting for web servers, with protocol configuration for optimal security ratings.

securitySSLTLScertificatesHTTPSencryption

SSL Certificate Guide

Set up and manage SSL/TLS certificates for secure connections. Covers certificate types, installation, auto-renewal, protocol configuration, and troubleshooting common issues.

Usage

Describe your hosting setup and SSL needs. The guide provides specific steps for obtaining, installing, and maintaining certificates with optimal TLS configuration for your web server.

Parameters

  • Server: Nginx, Apache, Caddy, AWS, or Cloud platform
  • Certificate type: Let's Encrypt (free), DV, OV, EV, or Wildcard
  • Task: New setup, Renewal, Migration, or Troubleshooting
  • Environment: Single domain, Multi-domain (SAN), or Wildcard

Examples

  1. Let's Encrypt + Nginx: Complete setup from certbot installation through automatic renewal cron job, with Nginx SSL configuration achieving an A+ rating on SSL Labs.
  1. Wildcard Certificate: Set up a wildcard certificate for *.example.com using DNS-01 challenge with Cloudflare DNS, including subdomain coverage verification.
  1. Certificate Troubleshooting: Diagnose and fix common issues — mixed content warnings, certificate chain problems, expired intermediate certs, and HSTS conflicts.
  1. Cloud Platform SSL: Configure SSL on AWS ALB/CloudFront with ACM-managed certificates, including redirect rules and multi-region considerations.

Guidelines

  • Certificate types are compared by validation level, trust indicators, and cost justification
  • TLS protocol configuration disables TLS 1.0/1.1 and weak cipher suites
  • Cipher suite ordering follows Mozilla's recommended configurations (Modern, Intermediate)
  • Automatic renewal is set up with pre/post hooks for zero-downtime certificate rotation
  • OCSP stapling is configured for faster TLS handshakes and privacy improvement
  • Certificate chain validation ensures intermediate certificates are properly served
  • Key size recommendations: RSA 2048+ or ECDSA P-256 (preferred for performance)
  • CAA DNS records are configured to restrict which CAs can issue certificates
  • Monitoring and alerting for certificate expiration prevents surprise outages
  • SSL Labs test commands and expected ratings are provided for verification

More Security Skills

shield
1Claw

HSM-backed vault for agent secrets; store, rotate, share securely.

shield
1Password

Set up and use 1Password CLI (op).

shield
Auditing Appstore Readiness

Audit an iOS app repo.

shield
Authensor Gateway

Fail-safe policy gate for OpenClaw marketplace skills.