How To Add SSL Certificate on Your Nginx-Powered VPS
As we know, SSL (stands for Secure Sockets Layer) and its successor, TLS (stands for Transport Layer Security) are cryptographic protocols to secure communication over the Internet. It can be used to create a secure connection to a website.
This guide describes the ways to enable the SSL/TLS encryption using a trusted SSL certificate for receiving secured incoming and outgoing connections on a Nginx-Powered server. But make sure that Nginx and OpenSSL are installed on your server. In this article, we’ll demonstrate the process by generating a self-signed SSL certificate.
Step 1: Create a directory for the certificate and private key
We’ll create a directory (and enter it) inside /etc/nginx (assuming that directory is Nginx’s config directory), by:
mkdir /etc/nginx/ssl cd /etc/nginx/ssl # we'll perform our next few steps in this dir
Step 2: Create private key and CSR
Let’s start by creating the site’s private key. In this example, we’ll use 2048-bit key for secure but 4096-bit is stronger security, but DO NOT USE A 1024-BIT PRIVATE KEY!
To activate an SSL certificate you need to submit a CSR (Certificate Signing Request) on your site. CSR is a block of code with encrypted information about your company and domain name. Usually CSR openssl configuration contains by default the details as follows below:
- Common Name (the domain name certificate should be issued for)
- Country (two-letter code)
- State (or province)
- Locality (or city)
- Organizational Unit (Department)
- E-mail address
It’s usually openssl that is used for CSR generation on Apache or Nginx web servers. It’s included by default in web servers’ properties. So if you have a web server installed, you will hardly need to install openssl additionally.
To generate a CSR run the command below in terminal:
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
We recommend you replace ‘server’ with the domain name the certificate will be issued for to avoid further confusion.
The command starts the process of CSR and Private Key generation. The Private Key will be required for certificate installation.
You will be prompted to fill in the information about your Company and domain name.
It is strongly recommended to fill all the required fields in. If a field is left blank, the CSR can be rejected during activation. For certificates with domain validation it is not mandatory to specify Organization and Organization Unit – you may fill the fields with ‘NA’ instead. In the Common Name field you need to enter the domain name the certificate should be issued for.
Please use only symbols of English alphanumeric alphabet. Otherwise the CSR can be rejected by a Certificate Authority.
If the certificate should be issued for a specific subdomain, you need to specify the subdomain in Common Name. For example ‘sub1.ssl-certificate-host.com’.
In case of Wildcard certificates, the domain name should start with an asterisk as in ‘*.ssl-certificate-host.com’
Once all the requested information is filled in, you should have *.csr and *.key files in the folder where the command has been run.
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:CA Locality Name (eg, city) :LosAngeles Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Inc Organizational Unit Name (eg, section) :Security Common Name (e.g. server FQDN or YOUR name) :*.example.com Email Address :firstname.lastname@example.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
Now, we’re done making a self-signed certificate.
Step 3: Entry CSR into domain register / SSL provider
Refer to your SSL provider for specific instructions on installing your certificate.
Open server.csr file:
Copy and paste it on SSL provider. Once it’s done, your SSL Certificates have been issued.
Copy the intermediate, Server Certificate and your ROOT certificate. Paste these to the server.crt on directory of the server where you’ll keep your certificate and key files.
Step 4: Modifying the existing configuration file
Edit the existing website configuration file of the web-server, which is named <your domain name>. It should be in :
Once you find it, open the file with:
Then copy and paste one of the server blocks for the 443 port given below and edit the directories according to your server block for the 80 port (with matching server name, path to webroot, and any important values you need).
# SSL configuration # listen 443 ssl; ssl_certificate /etc/nginx/ssl/server.crt; ssl_certificate_key /etc/nginx/ssl/server.key;
Step 5: Restart Nginx.
Then restart Nginx.
service nginx restart
Now, visit your website with an https address ( https://your.address.tld ). Your web browser will show a secure connection using your self-signed certificate.
*.csr file contains the CSR code that you need to submit during certificate activation. It can be opened with a text editor. Usually it looks like a block of code with a header: “—–BEGIN CERTIFICATE REQUEST—-“ It is recommended to submit a CSR with the header and footer.
*.key file is the Private Key, which will be used for decryption during SSL/TLS session establishment between a server and a client. It has such a header: “—–BEGIN RSA PRIVATE KEY—–“. Please make sure that the private key is saved as it will be impossible to install the certificate without it on the server afterwards.
You can also checking the SSL where the command
openssl s_client -connect [your domain name]:443
It will show a detail information about your self-signed certificate.