Installing HTTPS/SSL certificate on Nginx

OK, this writing is specific to Godaddy certificate since that is what I’ve been doing recently – but the steps below can be applied to any Certificate Provider

You need to have request CSR signature of the Domain. This is basically to generate a private key that is unique to you (your domain). If you already have one then reuse that! if you don’t have any request CRS – create one CSR By Using this link https://www.digicert.com/easy-csr/openssl.htm

The link basically help you in generating terminal command similar to the one below (WARNING: do not use the command below 😛 in case you didn’t notice on the CN= part, it’s for my domain. Use the link I told you above)

openssl req -new -newkey rsa:2048 -sha256 -nodes -out star_mydomain_co_id.csr -keyout star_mydomain_co_id.key -subj '/C=ID/ST=Jakarta Barat/L=Jakarta/O=My Organization/OU=Web Administration/CN=*.mydomain.co.id'

After executing the command line, you’ll get *.csr and *.key file. The .csr file is Certificate Signing Request – you will need to provide this file to your SSL provider later. The .key file is your private key that is unique to you – of course you MAY NOT spread these files.

Keep these files – we will need it for later. Now use the generated Certificate Signing Request / *.csr to register for SSL in Godaddy (or your provider), they will ask you to upload your certificate and then they will provide you a signed Certificate File .crt. Depend on the provider – they will also provide you with intermediate/bundle certificate.

For example GoDaddy give me 2 files:

the-signed-domain-certificate.crt
gd_bundle.csr

Deploy these files to your machine – In Nginx the provider certificate need to be combined. I combine it using

cat the-signed-domain-certificate.crt gd_bundle.crt > star.mydomain.intermediate.2014.01.01.crt

Is a good practive to append expiration date to the certificate name. Save these files to local path in your server. We usually use /opt/key/. Remember to change the permission of the files to 600 (root readable)

Now go to your nginx sites-available config and add

server {
    listen          443;
    server_name     mydomain.co.id;

    ssl on;
    ssl_certificate         /opt/key/star.mydomain.intermediate.2014.01.01.crt
    ssl_certificate_key  /opt/key/star_mydomain_co_id.key

Restart your nginx. And test out your HTTPS.

Update:
Since google is trying to kill legacy SSL signature that is using SHA1, here’s a good article that will help you to avoid “Connection not Trusted” on future Google Chrome versions

notprivateSo, if you use Godaddy – at first they will give you SHA1 intermediate certificate – but then you can Re-Key your certificate to have SHA2 signed one. Here’s Godaddy explanation about re-key

Advertisements

One comment

  1. bhumishah · March 5, 2015

    Nice post. I am looking for same.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s