Installing Certificate Authority-Signed TLS Certificates on an NGINX Web-site
Before going about the steps shown in this article, you should have considered the reasons, limitations and choices involved in setting up certificates on your web-site. Firstly, a self-signed certificate is clearly insufficient for ecommerce. It involves no validation of the certificate that your site visitors receive – that certificate could belong to a man-in-the-middle who is decrypting and re-encrypting traffic between the web-browser and the web-server.
Secondly, are you going to install a domain-validated certificate or an extended validation certificate? A domain-validated certificate addresses the security issue mentioned above, thus providing satisfactory security for transactions with customers on your web-site. However, when issuing an extended validation certificate, the CA also takes further measures to establish the authenticity of your domain. Web browsers will then display your company name or similar information in green text next to a green padlock icon.
Generate the Certificate Signing Request (CSR) – this will be sent to the Certificate Authority
Having negotiated the issues above, you will go forward and obtain a signed certificate from a CA. The first step in doing this is to generate a Certificate Signing Request (CSR), as follows.
NOTE: Everything is done on the Linux command line, as root or with sudo. The files involved are all plain text files, the certificates are segments of plain text and the encryption keys are hexadecimal values provided as ASCII text within those certificates.
First, generate a private key
#openssl genrsa -out ~/your_domain.com.ssl/your_domain.com.key 2048
#openssl req -new -sha256 -key ~/your_domain.com.ssl/your_domain.com.key -out ~/your_domain.com.ssl/your_domain.com.csr
Common Name the fully qualified domain name for your web-server
Organisation Name the exact, non-abbreviated legal name of your organisation
Organisational Unit division, section or department or your organisation
City or Locality the city or town where your organisation has its legally registered office
State or Province the state or province where your organisation has its legally registered office
Country the two-letter ISO abbreviation for your country
The resulting CSR can be verified with the following command
#openssl req -noout -text -in ~/your_domain.com.ssl/your_domain.com.csr
Installing the certificates onto the nginx server
From the Certificate Authority, you will receive a certificate for your domain itself, as well as a certificate for the root CA. You will also receive certificates for any intermediate authorities in the chain of trust leading from the root CA to your domain.
The web engine has to read the private key that was originally generated by openssl. It must also read all of the certificates returned by your CA. The private key resides in a file in the directory etc/nginx/ssl
If it doesn’t already exist, make that directory as follows.
The various certificates returned from the signing authority must be put in a single plain-text file, in a specific order. This “bundle” file goes in the same directory as the private key. Say, for example, you have received the following files from the signing authority:
your_domain.crt (obtained from intermediate authority 2)
intermediate_auth2.crt (obtained from intermediate authority 1)
intermediate_auth1.crt (obtained from root authority)
root.crt (the root authority’s own certificate)
The order for the certificates in the bundle file is:
your_domain.crt – at beginning of file
root.crt – at end of file