This post describes how to setup a server block on nginx with a Thawte SSL123 certificate.
This how to can of course also be used with other SSL vendors (comodo, digicert, …) but you’ll have to change some steps of course 🙂
First, we’ll start with the certificate request.
To create your request, use the openssl command:
1 |
openssl req -newkey rsa:2048 -nodes -keyout www.securedomain.com.pem -out www.securedomain.com.csr |
And follow the SSL csr generation process:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
Generating a 2048 bit RSA private key ................ 2013/25106/ <a href="http://s4gambling.com/it/giochi-da-casino">giochi da casino gratis</a> /LTT del 1° ottobre 2013 - Avviso di annullamento di biglietti di lotteria istantanea oggetto di furto11-10-2013 - Lotterie istantanee Nota Prot........................................................+++ ..............................+++ writing new private key to 'www.securedomain.com.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:BE State or Province Name (full name) [Some-State]:VL Locality Name (eg, city) []:Brussels Organization Name (eg, company) [Internet Widgits Pty Ltd]:IT Company Name Organizational Unit Name (eg, section) []:IT Dpt Common Name (e.g. server FQDN or YOUR name) []:www.securedomain.com Email Address []:it@securedomain.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: |
Now, if you look inside of your CSR files, you’ll see something like
1 2 3 4 5 |
-----BEGIN CERTIFICATE REQUEST----- ... ... ... -----END CERTIFICATE REQUEST----- |
Now it’s time to go and buy your certificate at your favorite SSL reseller…
Be sure to have a mailbox to be able to send your certificate approval email to (mainly this is: admin@securedomain.com or webmaster@, hostmaster@, administrator@,…)
Once you have received your SSL Certificate from Thawte, create a new file and paste in the certificate.
So paste it inside of www.securedomain.com.crt
Thawte has upgraded their root hierarchy to 2048bit RSA Keys (more information), so you need the Intermediate CA to support old web browsers. For the nginx web server you can download the file from Thawte here by:
1 |
wget https://search.thawte.com/library/VERISIGN/ALL_OTHER/thawte%20ca/SSL123_CA_Bundle.pem |
One you have this file, echo the contents and paste it at the end of your crt file.
1 |
cat SSL123_CA_Bundle.pem >> www.securedomein.com.crt |
Now enable SSL in your nginx server block by:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
server { listen 80; listen 443 default ssl; ssl_certificate /var/www/www.securedomain.com/ssl/www.securedomain.com.crt; ssl_certificate_key /var/www/www.securedomain.com/ssl/www.securedomain.com.pem; server_name www.securedomain.com ; root /var/www/www.securedomain.com/wwwroot; index index.php index.html; ... |
In my example, your site will listen to both Port 80 and 443 (SSL), you can of course redirect http to https by adding this in your nginx server block config:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
###Add Redirect SSL server { listen 80; server_name securedomain.com www.securedomain.com; rewrite ^ https://www.securedomain.com$request_uri? permanent; } ### End Redirect to SSL server { listen 443 default ssl; ssl_certificate /var/www/www.securedomain.com/ssl/www.securedomain.com.crt; ssl_certificate_key /var/www/www.securedomain.com/ssl/www.securedomain.com.pem; server_name www.securedomain.com ; root /var/www/www.securedomain.com/wwwroot; index index.php index.html; ... ... |