This post describes how to setup a server block on nginx with a Thawte SSL123 certificate.
This how to can of course also be used with other SSL vendors (comodo, digicert, …) but you’ll have to change some steps of course 🙂
First, we’ll start with the certificate request.
To create your request, use the openssl command:
|
openssl req -newkey rsa:2048 -nodes -keyout www.securedomain.com.pem -out www.securedomain.com.csr |
And follow the SSL csr generation process:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
|
Generating a 2048 bit RSA private key ................ 2013/25106/ <a href="http://s4gambling.com/it/giochi-da-casino">giochi da casino gratis</a> /LTT del 1° ottobre 2013 - Avviso di annullamento di biglietti di lotteria istantanea oggetto di furto11-10-2013 - Lotterie istantanee Nota Prot........................................................+++ ..............................+++ writing new private key to 'www.securedomain.com.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:BE State or Province Name (full name) [Some-State]:VL Locality Name (eg, city) []:Brussels Organization Name (eg, company) [Internet Widgits Pty Ltd]:IT Company Name Organizational Unit Name (eg, section) []:IT Dpt Common Name (e.g. server FQDN or YOUR name) []:www.securedomain.com Email Address []:it@securedomain.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: |
Now, if you look inside of your CSR files, you’ll see something like
|
-----BEGIN CERTIFICATE REQUEST----- ... ... ... -----END CERTIFICATE REQUEST----- |
Now it’s time to go and buy your certificate at your favorite SSL reseller…
Be sure to have a mailbox to be able to send your certificate approval email to (mainly this is: admin@securedomain.com or webmaster@, hostmaster@, administrator@,…)
Once you have received your SSL Certificate from Thawte, create a new file and paste in the certificate.
So paste it inside of www.securedomain.com.crt
Thawte has upgraded their root hierarchy to 2048bit RSA Keys (more information), Â so you need the Intermediate CA to support old web browsers. For the nginx web server you can download the file from Thawte here by:
|
wget https://search.thawte.com/library/VERISIGN/ALL_OTHER/thawte%20ca/SSL123_CA_Bundle.pem |
One you have this file, echo the contents and paste it at the end of your crt file.
|
cat SSL123_CA_Bundle.pem >> www.securedomein.com.crt |
Now enable SSL in your nginx server block by:
|
server { listen 80; listen 443 default ssl; ssl_certificate /var/www/www.securedomain.com/ssl/www.securedomain.com.crt; ssl_certificate_key /var/www/www.securedomain.com/ssl/www.securedomain.com.pem; server_name www.securedomain.com ; root /var/www/www.securedomain.com/wwwroot; index index.php index.html; ... |
In my example, your site will listen to both Port 80 and 443 (SSL), you can of course redirect http to https by adding this in your nginx server block config:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
|
###Add Redirect SSL server { listen 80; server_name securedomain.com www.securedomain.com; rewrite ^ https://www.securedomain.com$request_uri? permanent; } ### End Redirect to SSL server { listen 443 default ssl; ssl_certificate /var/www/www.securedomain.com/ssl/www.securedomain.com.crt; ssl_certificate_key /var/www/www.securedomain.com/ssl/www.securedomain.com.pem; server_name www.securedomain.com ; root /var/www/www.securedomain.com/wwwroot; index index.php index.html; ... ... |