Nginx Server SSL Certificate Installation:
Create a real SSL Certificate
1.Make sure OpenSSL is installed and in your PATH.
2.Create a RSA private key for your Apache server (will be Triple-DES encrypted and PEM formatted): $ openssl genrsa -des3 -out server.key 1024
Please backup this server.key file and the pass-phrase you entered in a secure location. You can see the details of this RSA private key by using the command: $ openssl rsa -noout -text -in server.key
If necessary, you can also create a decrypted PEM version (not recommended) of this RSA private key with: $ openssl rsa -in server.key -out server.key.unsecure
3.Create a Certificate Signing Request (CSR) with the server RSA private key (output will be PEM formatted): $ openssl req -new -key server.key -out server.csr
Make sure you enter the FQDN ("Fully Qualified Domain Name") of the server when OpenSSL prompts you for the "CommonName", i.e. when you generate a CSR for a website which will be later accessed via https://www.yourdomain.dom/, enter "www.yourdomain.dom" here. You can see the details of this CSR by using $ openssl req -noout -text -in server.csr
4.You now have to send this Certificate Signing Request (CSR) to a Certifying Authority (CA) to be signed. Once the CSR has been signed, you will have a real Certificate, which can be used by Apache. You can have a CSR signed by a commercial CA, or you can create your own CA to sign it.
Commercial CAs usually ask you to post the CSR into a web form, pay for the signing, and then send a signed Certificate, which you can store in a server.crt file. For more information about commercial CAs see the following locations:
- Verisign
http://digitalid.verisign.com/server/apacheNotice.htm - Thawte
http://www.thawte.com/ - CertiSign Certificadora Digital Ltda.
http://www.certisign.com.br - IKS GmbH
http://www.iks-jena.de/leistungen/ca/ - Uptime Commerce Ltd.
http://www.uptimecommerce.com - BelSign NV/SA
http://www.belsign.be
For details on how to create your own CA, and use this to sign a CSR, see below.
Once your CSR has been signed, you can see the details of the Certificate as follows: $ openssl x509 -noout -text -in yourdomain.crt
Copy the Certificate files to your server:
Copy them(server.key,yourdomain.crt), along with the .key file you generated when you created the CSR, to the directory on your server where you will keep your certificate and key files. Make them readable by root only to increase security.
Edit the Nginx virtual hosts file.
Now open your Nginx virtual host file for the website you are securing. If you need your site to be accessible through both secure (https) and non-secure (http) connections, you will need a server module for each type of connection. Make a copy of the existing non-secure server module and paste it below the original. Then add the lines in bold below:
server {
listen 443;
ssl on;
ssl_certificate /etc/ssl/yourdomain.crt;
ssl_certificate_key /etc/ssl/server.key;
server_name www.yourdomain.com;
access_log /var/log/nginx/nginx.vhost.access.log;
error_log /var/log/nginx/nginx.vhost.error.log;
location / {
root /home/www/public_html/your.domain.com/public/;
index index.html;
}
}Adjust the file names to match your certificate files:
- ssl_certificate should be your primary certificate combined with the intermediate certificate that you made in the previous step (e.g. your_domain_name.crt).
- ssl_certificate_key should be the key file generated when you created the CSR.
