1. Before you purchase your SSL
Before any purchase of an SSL you’ll need a key file and a csr (Certificate Signing Request).
0 1 2 3 4 5 6 7 8 |
# I always assume you are logged in as root # ssh into server and run openssl req -nodes -newkey rsa:2048 -keyout server_name.key -out server_name.csr # you have now generated 2 files server_name.key and server_name.csr cat server_name.csr |
The certificate registrar is going to ask for the contents of your csr file, just cut and paste whats inside the file into the webform. Make sure you register with the domain name you plan on using. Purchase your SSL, they’ll send your administrator an email validate that. Then wait for an email from Comodo with a zip file.
Within this zip file you’ll receive 4 files:
- AddTrustExternalCARoot.crt – Root Cert
- COMODORSAAddTrustCA.crt – Intermediate Cert
- COMODORSADomainValidationSecureServerCA.crt – Intermediate Cert
- server_name.crt – Your Positive Cert
2. Prep for installing SSL Cert
0 1 2 3 4 5 6 7 8 9 10 11 12 |
# combine your crt files into a bundle for nginx cat server_name.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >> server_name.ssl_bundle.crt ls # you should have server_name.ssl_bundle.crt # copy files into place (you can move mv or copy cp files) cp server_name.ssl_bundle.crt /etc/ssl/certs/server_name.ssl_bundle.crt mkdir /etc/ssl/private cp server_name.key /etc/ssl/private/server_name.key |
3. Installing the SSL Certificate
Now to configure Nginx.
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
server { listen ip_address:443; server_name example_com; ssl on; ssl_certificate /etc/ssl/certs/server_name.ssl_bundle.crt; ssl_certificate_key /etc/ssl/private/server_name.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM; ssl_prefer_server_ciphers on; location / { root /html; index index.html index.htm; } } |
4. Restart Nginx
0 1 2 |
service restart nginx |
To test your ssl: https://www.ssllabs.com/ssltest/