SSL Certificate Installation on Nginx or Apache
SSL Certificate
Before we can sign up for a certificate we have to generate a RSA private key
|
1 |
openssl genrsa -des3 -out example.com_secure.key 2048 |
You will be prompted to provide a passphrase(required). The key file is secured with this passphrase but we will eventually remove this protection.
Then, we will use this private key to generate a certificate signing request which is then submitted to the CA.
|
1 |
openssl req -new -key example.com_secure.key -out example.com.csr |
Remove the encryption from the RSA private key
Before we start configuring HTTPS Server we have to make sure to remove the passphrase from our RSA key. Otherwise you have to provide the password every time server started.
|
1 |
openssl rsa -in example.com_secure.key -out example.com_secure.key |
The unencrypted private key should only be readable by the owner of the Nginx or Apache master process. Most of the time this is the root user:
|
1 2 |
chmod 400 example.com_secure.key sudo chown root:root example.com_secure.key |
Generate SSL Certificate
|
1 |
openssl x509 -req -days 365 -in example.com_secure.csr -signkey example.com_secure.key -out example.com_secure.crt |
Setting up server
Nginx
|
1 2 3 4 5 6 7 8 9 10 11 |
server { listen 443; server_name example.com; root /var/www/example.com ssl on; ssl_certificate /path/example.com_secure.crt; ssl_certificate_key /path/example.com_secure.key; } |
Apache
|
1 2 3 4 5 6 7 |
<VirtualHost *:443> DocumentRoot /var/www/example.com SSLEngine on SSLCertificateFile /path/example.com_secure.crt SSLCertificateKeyFile /path/example.com_secure.key SSLCertificateChainFile /path/example.com_secure.crt </VirtualHost> |