Security is always very important when it comes to any type internet communication. SSL certificates are one way to get higher level of security for web servers. When a web server runs using secure protocols, it is using public and private keys in order to encrypt the traffic.
The traffic is encrypted on the server, then send to the client (still encrypted) and then it is decrypted at client’s side (using the certificates). This actually makes data unreadable for any potential intruder. The SSL certificates are usually issued by certificate authority but we can create our own, self-signed certificates as well.
In order to create SSL certificate for Nginx, the first think to do is to make sure that we have Nginx already installed:
# sudo apt-get install nginx
Before we proceed and create certificates, we should crate directory where are going to store the certificates and access them later. We will create the directory inside Nginx installation folder:
# sudo mkdir /etc/nginx/ssl
Once the directory is created, we will perform all the required steps, inside that directory so all output files will be saved there.
# cd /etc/nginx/ssl
The first file that we need to create is the private key. While creating the key, we will be asked for a passphrase. We must make sure to remember the passphrase since we will not be able to access the certificate without it. We will remove the passphrase later though. The following command will generate the private key:
# sudo openssl genrsa -des3 -out server.key 1024
Once we have the key created, we will use the key on order to create Certificate Signing Request:
# sudo openssl req -new -key server.key -out server.csr
After we execute this command, we will be prompt to enter some information, like Country, Company, Address, Email and possible some other fileds.. We should fill in the information properly since that information will be visible to the public once the certificate is created and used on our website. The most important is “common name” value. Our fully qualified domain name should be entered here. We leave the optional company name and challenge password blank.
Now that we have the .key and .csr file, we are ready to create the certificate. Having the passphrase on the key file adds extra security, but it might be inconvenient In case of automatic server reboot or similar situations.
If we have a passphrase it has to be typed in manually, so if there is not person available to do it, the website will be offline for a long time. That is why we are going to remove the passphrase from the key file, using the following commands:
# sudo cp server.key server.key.org
# sudo openssl rsa -in server.key.org -out server.key
Now we are ready to create and sign our certificate:
# sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
It will be valid for 1 year (365 days). That is something that can be changed if needed. Now we can use the certificate and assign to a virtual host. We can copy the Nginx sample configuration file in a new file and use that. Most important section in the file is the following:
server {
listen 443;
server_name our-domain.com;
root /var/www;
index index.html index.htm;
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
}
After making the changes and saving the file, we should copy the virtual host configuration file into /etc/nginx/sites-enabled/ and then restart Nginx.
# sudo service nginx restart
After then restart, if we point our browser to https://our-domain.com we will be able to find the certificate on the page. That’s it. We have added the certificates and all traffic on our website is now encrypted.