You’ll need to create a CSR to give to your domain registrar before they generate the SSL Certificate (.crt file).  I change directory into /etc/nginx/ssl before running these commands, so all my SSL ‘stuff’ is in the same folder.

openssl req -new -newkey rsa:2048 -nodes -keyout friday-next.com.key -out friday-next.com.csr

Be sure to enter your domain name when it asks for FQDN (or Common Name).  For WildCard certs, be sure to start the name with an asterisk (e.g. *.friday-next.com).

Then view the CSR by typing ‘cat friday-next.com.csr’, and paste the output into your domain registrar’s request box (include the BEGIN and END tags).

I’m using Namecheap, so once I enter the verification code into the Domain Control Validation site, I’m sent a zip file with four different files in it.  Upload the zip to your server, unzip the files in your /etc/nginx/ssl folder, and concatenate them with this command:

sudo su
cat domain_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >> domain_bundle.crt
exit

You can delete those four files (don’t delete the one you just created!) and the zip file now.  Then go into your Nginx setup and be sure to set these values in your SSL server block:

listen 443 ssl;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5:@STRENGTH;
ssl_session_cache shared:WEB:10m;
ssl_certificate /etc/nginx/ssl/yourdomain.crt;
ssl_certificate_key /etc/nginx/ssl/yourdomain.key;

I use SNI, so I don’t need individual IP Addresses for each site with SSL.  This prevents older insecure browsers from being able to verify the SSL certificate, as a way to encourage people to get with the times and download a modern browser.

Happy SSL’ing!

Share This

Share this post with your friends!