Search This Blog

Friday, June 9, 2017

Configure an SSL certificate on Nginx | Apply an SSL certificate to Nginx web server | SSL Certificate | Ubuntu

To apply an SSL Certificate on Nginx follow below steps.

Before applying an SSL certificate you need to obtain SSL certificate and Need to generate private key and CSR. Follow below link for the same and then go the below more steps.


Now Download your certificate as below.

  • On your SSL certificate home page, click Download.                              
Note - in your SSL control panel? Log in to your Domain panel registrar such as Comodo or GoDaddy account.
  • Click SSL Certificates.
  • Complete step 1 above.
  • Select the Server type you want to install the certificate on.
  • Click Download ZIP file.

1. Create a Directory inside Nginx with name "SSL"


$ mkdir /etc/nginx/SSL

2. create a file inside SSL directory with your domain name and enter the private key you have generated using above URL

$ sudo vi /etc/nginx/ssl/www.example.com.key

paste the private key inside www.example.com.key file.

3. Now copy the "crt" file on your server in SSL directory. You can use WINSCP to perform this task and rename it with your domain name. Ex. www.example.com.crt

4. you will have to generate a set of 2048-bit diffie-hellman now using below command 

Note :- enter this command when you are present in "SSL" directory

openssl dhparam -out /etc/nginx/ssl/dhp-2048.pem 2048

5. Now you need to edit the nginx default file as below.

sudo vi /etc/nginx/sites-available/default

enter below configuration.

server {
  server_name www.example.com;
  listen 80;
  listen [::]:80;
  listen 443 ssl;
  listen [::]:443 ssl;
  ssl_certificate /etc/nginx/ssl/www.example.com.crt;
  ssl_certificate_key /etc/nginx/ssl/www.example.com.key;
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 10m;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!AES256";
  ssl_prefer_server_ciphers on;

  ssl_dhparam /etc/nginx/ssl/dhp-2048.pem;


Now you need to update your server CA Certificate to make it working. Follow below steps.

Given a CA certificate file foo.crt, follow these steps to install it on Ubuntu:

  • Create a directory for extra CA certificates in /usr/share/ca-certificates:
  • sudo mkdir /usr/share/ca-certificates/extra
  • Copy the CA .crt file to this directory:
  • sudo cp foo.crt /usr/share/ca-certificates/extra/foo.crt
  • Let Ubuntu add the .crt file's path relative to /usr/share/ca-certificates to /etc/ca-certificates.conf:
  • sudo dpkg-reconfigure ca-certificates
  • In case of a .pem file on Ubuntu, it must first be converted to a .crt file:

openssl x509 -in foo.pem -inform PEM -out foo.crt

Once done, restart the nginx server with sudo service nginx restart command

No comments:

Post a Comment

Copyright © 2017 | Aayush Kamboj. Powered by Blogger.