Nginx / Comodo PositiveSSL / CentOS 7

1. Before you purchase your SSL

Before any purchase of an SSL you’ll need a key file and a csr (Certificate Signing Request).

# I always assume you are logged in as root
# ssh into server and run
openssl req -nodes -newkey rsa:2048 -keyout server_name.key -out server_name.csr

# you have now generated 2 files server_name.key and server_name.csr

cat server_name.csr

The certificate registrar is going to ask for the contents of your csr file, just cut and paste whats inside the file into the webform. Make sure you register with the domain name you plan on using. Purchase your SSL, they’ll send your administrator an email validate that. Then wait for an email from Comodo with a zip file.

Within this zip file you’ll receive 4 files:

  • AddTrustExternalCARoot.crt – Root Cert
  • COMODORSAAddTrustCA.crt – Intermediate Cert
  • COMODORSADomainValidationSecureServerCA.crt – Intermediate Cert
  • server_name.crt – Your Positive Cert

2. Prep for installing SSL Cert

# combine your crt files into a bundle for nginx

cat server_name.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >> server_name.ssl_bundle.crt

ls

# you should have server_name.ssl_bundle.crt
# copy files into place (you can move mv or copy cp files)
cp server_name.ssl_bundle.crt /etc/ssl/certs/server_name.ssl_bundle.crt
mkdir /etc/ssl/private
cp server_name.key /etc/ssl/private/server_name.key

3. Installing the SSL Certificate

Now to configure Nginx.

    server {
        listen       ip_address:443;
        server_name  example_com;

        ssl on;
        ssl_certificate      /etc/ssl/certs/server_name.ssl_bundle.crt;
        ssl_certificate_key  /etc/ssl/private/server_name.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_protocols   TLSv1 TLSv1.1 TLSv1.2;

        ssl_ciphers  ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;
        ssl_prefer_server_ciphers  on;

        location / {
            root   /html;
            index  index.html index.htm;
        }
    }

4. Restart Nginx

service restart nginx

To test your ssl: https://www.ssllabs.com/ssltest/