Installing Certificate Authority-Signed TLS Certificates on an NGINX Web-site

This article gives basic instructions for installing the certificate signed by a Certificate Authority (CA) on your nginx web-site.

Before going about the steps shown in this article, you should have considered the reasons, limitations and choices involved in setting up certificates on your web-site.  Firstly, a self-signed certificate is clearly insufficient for ecommerce.  It involves no validation of the certificate that your site visitors receive – that certificate could belong to a man-in-the-middle who is decrypting and re-encrypting traffic between the web-browser and the web-server.

Secondly, are you going to install a domain-validated certificate or an extended validation certificate?  A domain-validated certificate addresses the security issue mentioned above, thus providing satisfactory security for transactions with customers on your web-site.  However, when issuing an extended validation certificate, the CA also takes further measures to establish the authenticity of your domain.  Web browsers will then display your company name or similar information in green text next to a green padlock icon.

Generate the Certificate Signing Request (CSR) – this will be sent to the Certificate Authority

Having negotiated the issues above, you will go forward and obtain a signed certificate from a CA.  The first step in doing this is to generate a Certificate Signing Request (CSR), as follows.

NOTE: Everything is done on the Linux command line, as root or with sudo.  The files involved are all plain text files, the certificates are segments of plain text and the encryption keys are hexadecimal values provided as ASCII text within those certificates.

First, generate a private key

#mkdir ~/your_domain.com.ssl/
#cd ~/your_domain.com.ssl/
#openssl genrsa -out ~/your_domain.com.ssl/your_domain.com.key 2048

A CSR incorporates a public key.  The private key is used as input when generating it:

#openssl req -new -sha256 -key ~/your_domain.com.ssl/your_domain.com.key -out ~/your_domain.com.ssl/your_domain.com.csr

openssl will prompt you for various information:

Common Name          the fully qualified domain name for your web-server

Organisation Name    the exact, non-abbreviated legal name of your organisation

Organisational Unit     division, section or department or your organisation

City or Locality            the city or town where your organisation has its legally registered office

State or Province        the state or province where your organisation has its legally registered office

Country                       the two-letter ISO abbreviation for your country

 

The resulting CSR can be verified with the following command

#openssl req -noout -text -in ~/your_domain.com.ssl/your_domain.com.csr

You can then submit the above CSR file to the Certificate Authority (following their instructions).  The procedures for obtaining the signed certificate (either domain-validated or extended validation) from the CA are beyond the scope of this article, and will vary between CAs.  Having negotiated their procedures and obtained the signed certificate, continue below to install it on your web-site.

 

Installing the certificates onto the nginx server

From the Certificate Authority, you will receive a certificate for your domain itself, as well as a certificate for the root CA.  You will also receive certificates for any intermediate authorities in the chain of trust leading from the root CA to your domain.

The web engine has to read the private key that was originally generated by openssl.  It must also read all of the certificates returned by your CA.  The private key resides in a file in the directory etc/nginx/ssl

If it doesn’t already exist, make that directory as follows.

#mkdir /etc/nginx/ssl

The various certificates returned from the signing authority must be put in a single plain-text file, in a specific order.  This “bundle” file goes in the same directory as the private key.  Say, for example, you have received the following files from the signing authority:

your_domain.crt            (obtained from intermediate authority 2)

intermediate_auth2.crt     (obtained from intermediate authority 1)

intermediate_auth1.crt     (obtained from root authority)

root.crt                   (the root authority’s own certificate)

 

The order for the certificates in the bundle file is:

your_domain.crt                           –  at beginning of file

intermediate_auth2.crt

intermediate_auth1.crt

root.crt                                           –  at end of file