Nginx SSL Administration Linux
Introduction
When ordering an SSL certificate a Certificate Signing Request (CSR) is required, This is generated from a private key.
If you wish to generate the private key yourself you also need to generate the CSR, follow Generating CSR for certificate ordering and afterwards Installation of SSL certificate.
If you already have the private key and certificate ready you just follow Installation of SSL certificate.
This guide is created using OpenSSL 1.1.1f and Nginx 1.18.0 with default settings.
This guide describes how to create, install and configure SSL in Nginx on Linux.
This guide fits Ubuntu, Redhat, CentOS, etc. Minor changes in paths and commands can be needed for other versions of Linux.
- Run the following command to see which version of OpenSSL is installed:
openssl version
- Run the following command to see which version of Nginx is installed:
nginx -v
- You can generate an SSL configuration text at Mozilla SSL Configuration Generator which you can then modify to fit your server.
You can choose between the following settings. We recommend intermediate if you have no specific reason to select something else, and that you do not activate HSTS unless you are sure know what you are doing.
- Modern: Provides higher security but lower compatibility as it prevents access for older browsers and clients.
Recommended if all clients are known, e.g. on an internal website.
- Intermediate: A balance between medium-high security and high compatibility.
Generally recommended for serveres that is accessed by unknown clients, e.g. a webshop. This optimises the security while still allowing slightly older clients access the website.
- Old: Low security, highest compatibility.
This setting is only recommended if compatibility is more important than security as it opens for abandoned SSL standards that has known security holes.
- HSTS: (HTTP Strict Transport Security) is a header from the server that tells the client that the DNS name may only be accessed through HTTPS going forward. This will be remembered by the client for an amount of time equal to the max-age set, regardless if it's removed from the server again, so there is no way back if it fails.
Follow a thorough guide, be conservative and set the max-age to 300 seconds (5 minutes) for at least a week before it is gradually raised.
Watch out for sub-domains and pre-load, unless everything is already running HTTPS.
- OCSP Stapling: It is definitely advantageous to activate OCSP. IT allows the server to collect the status of the certificate regularly and deliver the information to the client, instead of each client having to look up the status every time.
Generating CSR for certificate ordering
In this example we have used a single DNS name, which works for both standard and SAN certificates, for a wildcard the Common name should be replaced with *.fairssl.dk
To be able to generate the CSR and complete the order you will need the following information:
- Common Name (CN): The primary fully qualified domain name. e.g.: www.fairssl.dk
- Organization Name (O): The full company name, exactly as presented in CVR. e.g.: FairSSL A/S (is only required for OV and EV certificates)
- Organizational Unit (OU): The department that is to use the certificate. It may not be possible to conflate the name with another company. IT is recommended to leave it empty or use the company name. e.g.: FairSSL A/S (is not used any more and should be left empty)
- Locality (L): City name. e.g.: Ørum Djurs
- State (S): State or municipality, in Denmark the municipality is used. e.g.: Norddjurs
- Country (C): ISO-standard two-letter country code, must be capitalised. e.g.: DK
we use OpenSSL for creating the private key and CSR. OpenSSL is installed under /usr/local/ssl/bin in a default installation.
Generating private key
- Login to the server with an administrator account.
- Run the following command to generate a 2048-bit Diffie-Hellman parameter:
sudo openssl dhparam -out /etc/ssl/private/dhparam.pem 2048
- Run the following command to generate a private RSA 2048-bit key without password:
sudo openssl genrsa -out /etc/ssl/private/www.fairssl.dk.key 2048
We create the private key in /etc/ssl/private/ because it is a secured folder specifically created for this purpose.
Do not ever send the private key to us in an email.
The private key file should be kept secure and should not leave the server. It is not possible to use smaller keys like RSA 1024-bit.
Generating CSR
- Run the following command to create a CSR with the private key you created:
sudo openssl req -new -key /etc/ssl/private/www.fairssl.dk.key -out /etc/ssl/private/www.fairssl.dk.csr
Enter the information you collected earlier for the certificate followed by [ENTER], remember that Country Name has to be capitalised. Leave the 3 last fields empty as shown below:
Country Name: DK
State or Province Name: Norddjurs
Locality Name: Ørum Djurs
Organization Name: FairSSL A/S
Prganizational Unit Name: FairSSL A/S
Common Name: www.fairssl.dk
Email Address:
A Challenge Password:
An Optional Company Name:
- You can confirm that your CSR is generated correctly with the following command:
sudo openssl req -noout -text -in /etc/ssl/private/www.fairssl.dk.csr
- Open the CSR file with a text editor (e.g. sudo nano /etc/ssl/private/www.fairssl.dk.csr) and copy the entire text, incl. all the dashes at the beginning and end.
Insert the copied text in the CSR field during the certificate ordering.
The following is an example of a complete CSR text:
A CSR does not contain any private information, and there are no security risks by sending the CSR to us through an unencrypted email.
Installation of SSL certificate
If your server is already active and you have sites configured on it, follow Server with existing sites
If you do not have any sites configured on your server, e.g. at a fresh installation, follow Server without existing sites
Server with existing sites
- Login to the server with an administrator account.
- Create the file where your private key is located named after your website (e.g. /etc/ssl/private/www.fairssl.dk.pem):
Copy the entire text of your SSL certificate from the mail into the file, incl. all the dashes.
The copy the entire text from the intermediate certificate into the file so it ends up looking like the following example and save the file.
- If your private key is located in a different place, e.g. if you have used our CSR-service, move it into /etc/ssl/private/ with the following command:
sudo mv ./www.fairssl.dk.key /etc/ssl/private/www.fairssl.dk.key
- Navigate to /etc/nginx/sites-available and use a text editor to open the configuration file for the website that is to use the new certificate (e.g. sudo nano www.fairssl.dk.conf)
Copy the settings you created in the Introduction into the file and edit it so it fits your website.
- Replace the first server { listen 80.. } section with the following text if you with to redirect all traffic from HTTP to HTTPS:
Server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
If you do not want the default to redirect, replace default_server with the specific DNS name you wish to redirect on, e.g. www.fairssl.dk
The redirect will changehttp://www.fairssl.dk/side/?var=1 to https://www.fairssl.dk/side/?var=1.
- Save the configuration file.
Remember to create a link in sites-enabled with the following command if it is a new configuration file:
sudo ln -s /etc/nginx/sites-available/www.fairssl.dk.conf /etc/nginx/sites-enabled/
- If you have more than one website, follow step 1 through 6 for each.
Remember to change root, server_name, ssl_certificate and ssl_certificate_key so they fit the respective websites.
- Test that the Nginx configuration still works properly:
sudo nginx -t
If an error occurs it needs to be fixed before you progress. See the log files for more information.
- Reload the Nginx server to activate the changes.
sudo /etc/init.d/nginx reload
We recommend that you test the installation with our server tester at https://www.fairssl.net/en/ssltest
Server without existing sites
- Login to the server with an administrator account.
- Create the file where your private key is located named after your website (e.g. /etc/ssl/private/www.fairssl.dk.pem):
Copy the entire text of your SSL certificate from the mail into the file, incl. all the dashes.
The copy the entire text from the intermediate certificate into the file so it ends up looking like the following example and save the file.
- If your private key is located in a different place, e.g. if you have used our CSR-service, move it into /etc/ssl/private/ with the following command:
sudo mv ./www.fairssl.dk.key /etc/ssl/private/www.fairssl.dk.key
- Navigate to /etc/nginx/sites-available and copy default to a new file, name the file after the website it is to be the configuration for.
sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/www.fairssl.dk.conf
- Open the new file with a text editor (e.g. sudo nano www.fairssl.dk.conf)
Copy the settings you created in the Introduction into the file and edit it so it fits your website.
- Replace the first server { listen 80.. } section with the following text if you with to redirect all traffic from HTTP to HTTPS:
Server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
If you do not want the default to redirect, replace default_server with the specific DNS name you wish to redirect on, e.g. www.fairssl.dk
The redirect will changehttp://www.fairssl.dk/side/?var=1 to https://www.fairssl.dk/side/?var=1.
- Save the configuration file.
Remember to create a link in sites-enabled with the following command if it is a new configuration file:
sudo ln -s /etc/nginx/sites-available/www.fairssl.dk.conf /etc/nginx/sites-enabled/
- Remove default from sites-enabled so it doesn't cause issues later:
sudo rm /etc/nginx/sites-enabled/default
- If you have more than one website, follow step 1 through 7 for each.
Remember to change root, server_name, ssl_certificate and ssl_certificate_key so they fit the respective websites.
Remove default_server from Listen as there can only be a single default website.
- Test that the Nginx configuration works properly:
sudo nginx -t
If an error occurs it needs to be fixed before you progress. See the log files for more information.
- Reload the Nginx server to activate the changes.
sudo /etc/init.d/nginx reload
We recommend that you test the installation with our server tester at https://www.fairssl.net/en/ssltest
Intermediate certificates
Here you can find the intermediate certificates from different Certificate Authorities.
We recommend that you use the intermediate certificate you got with your server certificate, and only download from here in case you lose it, as the one you get in the mail will always be the correct one for your server certificate.