Adding a certificate and using the HTTPS protocol is a good improvement to the security in the communication between the browser and the server, and should be in place on all sites that have a user login. Contrary to what many (older) guides say, it doesn’t add much load on your server and is fairy easy and cheap to set up right.
First of all, make sure Nginx is installed and running. I highly recommend running the latest version from Nginx’ own Ubuntu repository.
Generate key and CSR
Generate the server’s private key:
$ openssl genrsa -out /etc/ssl/private/example.com.key 2048
The number (2048) is the key length. Anything shorter is considered to be unsafe soon and should be avoided for new keys. Anything longer is unnecessary and will only waste CPU.
Generate the Certificate Signing Request (CSR):
$ openssl req -new -key /etc/ssl/private/example.com.key -out /etc/ssl/private/example.com.csr
Fill in the requested fields, but please note the following:
- Enter your FQDN for “Common Name (e.g. server FQDN or YOUR name)” In this case it’s “www.example.com”
- Press [ENTER] (blank) for “A challenge password”
Most Certificate Authorities will issue a certificate that is valid for both www.example.com and example.com if you provide www.example.com as FQDN. The opposite is NOT the case.
Make sure the files are readable by root only:
$ chmod 0400 /etc/ssl/private/example.com.*
Acquire the certificate from a CA
Go to the web site of a Certificate Authority or affiliate. For securing regular web sites, I usually get a domain validated Comodo PositiveSSL certificate from SSLs.com. They’re really cheap and more than good enough for most cases.
When you get the certificate from the CA – usually within an hour – place it in /etc/ssl/certs/example.com.crt
Intermediate Certificate Advisory
The certificate issuer will most likely provide you with a Intermediate Certificate Advisory or two. You MUST install the intermediate certificates on the server together with the certificate.
Save the intermediate certificate to /etc/ssl/certs/
In my case the two provided intermediate certs will be these two files:
Concatenate the certificates to one file (order is important):
$ cat /etc/ssl/certs/example.com.crt /etc/ssl/certs/COMODORSADomainValidationSecureServerCA.crt /etc/ssl/certs/COMODORSAAddTrustCA.crt > /etc/ssl/certs/example.com.certchain.crt
Copy your existing server block and add the 4 SSL specific lines so the start of your new server block looks like this:
listen 443 ssl;
Now reload your config and you should be done:
$ service nginx reload