Applying and Installing An SSL Certificate for Nginx
Nowadays it is common to have your website encrypted, and then it is neccessary to applying a SSL Certificate for your site. Here is the general procedure to applying and install a SSL Certificate.
- A. Apply A SSL Certificate
- B. Install your SSL Certificate
A. Apply A SSL Certificate
First of all, you need to have openssl installed on your system. You can easily install it via package manager like
apt on ubuntu or
yum on centos if not installed.
### ubunt or debian sudo apt install openssl openssl-dev ### fedora or centos sudo yum install openssl openssl-devel
A.1 Generate the RSA key
mkdir tmp && cd tmp openssl genrsa -des3 -out domain.tld.key 4096
A.2 Create a CSR
openssl req -new -sha256 -key domain.tld.key -out domain.tld.csr
You need to provide the following information:
- Common Name: www.domain.tld for single domain and *.domain.tld for a wildcard certificate
- Organization: The exact legal name of your company or organization. domain.tld will be fine
- City or Locality: the city where you are
- State or Province: the state or province you stay in.
- Contry: the two-letter ISO abbreviation for your country.
In the end before generating your csr, you will be ask to enter the challenge password, leaving it blank by just pressing enter.
A.3 Verify your CSR
Before submitting your CSR to your ssl certificate provider, you might have to verify your CSR just in case any error accuring.
openssl req -noout -text -in domain.tld.csr
A.4 Submit Your CSR
If no error when verifying the CSR, you can now submit it to your certificate authority. You should have the
firstname.lastname@example.org mail address accessible to receive the approval email.
B. Install your SSL Certificate
After get your SSL Certificate, you can then deploy it on your web server.
You might need to decrypt your private key for following installation:
openssl rsa -in domain.tld.key -out domain.tld.decrypted.key
In the following, you need your decrypted privated key, and you should keep it away from others.
server_tokens off; ## ssl config ssl_certificate /path/to/your/certificate; ssl_certificate_key /path/to/your/certificate/key; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_protocols TLSv1.2; ssl_prefer_server ciphers on; ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCMEECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+RC4 EECDH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !ERP !DSS !DH !EDH";
And add the following to your server block after
listen 443 ssl http2; listen [::]:443 ssl http2;