How to configure SSL certificate under Nginx

Source: Internet
Author: User
Tags vps startssl

1, Nginx configuration SSL Module
The default nginx is no SSL module, and my VPS is installed by default Nginx 0.7.63, incidentally, the Nginx upgrade to 0.7.64 and configure the SSL module as follows:
Download Nginx 0.7.64 release, unzip into the extract directory:

Copy CodeThe code is as follows:
wget http://sysoev.ru/nginx/nginx-0.7.64.tar.gz
Tar zxvf nginx-0.7.64.tar.gz
CD nginx-0.7.64


If you want to change the header information,

Copy CodeThe code is as follows:
VI src/core/nginx.h
#define Nginx_version "0.7.62"
#define Nginx_ver "nginx/" nginx_version


The above version number and Nginx self-modification
Compile
[Code]
./configure--user=www--group=www--prefix=/usr/local/nginx--with-http_stub_status_module--with-http_ssl_module
Make
Make
Remember not to make the install

Because it is a small website, need not smooth upgrade, directly killall-hup nginx restart Nginx can.
OK, upgrade and install the SSL module finished, here I changed Nginx to Zoulu, so:

How, very personality it!

2. Generate a certificate using OpenSSL

①, how to generate RSA keys
OpenSSL genrsa-out Privkey.pem 2048

Some certificates are 1024, so you have to:
OpenSSL genrsa-out Privkey.pem 1024

②, generate a certificate request
OpenSSL Req-new-key privkey.pem-out CERT.CSR

Will be prompted to enter the province, city, domain name information, and importantly, email must be your domain suffix, such as [email protected] and can accept mail!

Then there is a CSR file, which is the CSR file when it is submitted to the SSL provider.

(Source: http://www.lsproc.com/blog/nginx_ssl_config/)

Direct Cat CERT.CSR

Get a large string of characters, such as this:
-----BEGIN CERTIFICATE REQUEST-----
Miibstccarocaqawctelmakga1uebhmcq04xczajbgnvbagtakhcmqwwcgydvqqh
Ewntsloxdzanbgnvbaotbkzhbmzvdtesmbaga1ueaxmjzzfuzm91lmrlmsiwiayj
Kozihvcnaqkbfhn3zwjtyxn0zxjazmfuzm91lmrlmigfma0gcsqgsib3dqebaqua
a4gnadcbiqkbgqc5l4pmzg6tcipduefxq5gslxn1jeqdbmus+peapehmnoxe+r4k
vkqujzlj5o3ltqgjzyrcifru8nryqsxat/5ijefws7nimsx8kpkqq71bjazsizj+
Cdldrjj1m/srjtsnrfyj4rffs1fxq7uedyreux7fyaljx70jpssgbogwrqidaqab
Oaawdqyjkozihvcnaqefbqadgyeackcbqcncq5ye3gfyn3nyxcqevnspkiv9aqi4
Fcwqyhpzwkupp3wfubhy80iwtfjlgltsynze7fzlvpcbnfklnaylyewdy7nukjny
Pcbyqpjjxdal3jcun0nlltsxtqpr+abo8va/bao5hp9h1rpsrttdsjd2fc/owrv1
Bfrujna=
-----END CERTIFICATE REQUEST-----

The SSL provider that is submitted to you will normally send you a certificate in half an hour to a day.

Upload all files to a specific directory, such as I upload to/root/zoulu/

Here, Zoulukey.pem and ZOULUCERT.CSR are generated by the VPS themselves, and the rest is issued by the certification authority.

In general, directly with the certification authority issued by the CRT files, such as ZOU_LU.CRT, but there are many certificate issuing agencies in the Firefox Chinese version of the default is not trusted, after careful study, finally found that the original certificate authority method to your CRT files are also put into line.

Here's how:

Merge POSITIVESSLCA.CRT (CRT for Certificate Authority) and ZOU_LU.CRT (CRT for your own domain name)

Cat Zou_lu.crt >> POSITIVESSLCA.CRT

MV Positivesslca.crt ZOU_LU.CRT

or open it directly with Notepad and copy all the contents of POSITIVESSLCA.CRT to the bottom of the zou_lu.crt.

(Source: http://www.lsproc.com/blog/nginx_ssl_config/)

③, modify Nginx configuration

Listen 443;
server_name zou.lu;
Index index.html index.htm index.php;
Root/home/zoulu;
Error_page 404 403 http://zou.lu;

SSL on;
SSL_CERTIFICATE/ROOT/ZOULU/ZOU_LU.CRT;
SSL_CERTIFICATE_KEY/ROOT/ZOULU/ZOULUKEY.PEM;

Other configuration information is no longer duplicated, as is the case with the general site.
Iv. access to test results

In the Firefox English version/chrome/opera/safari/ie 6, 7, 8 is not a problem, https://zou.lu/in Firefox 3.5.7 Chinese version of the problem, children's shoes encountered problems, check your system time, if you do not trust, I'm not quite sure, I'm sorry, but I have limited ability.
V. How to obtain a free certificate

https://zou.lu/'s certificate is POSITIVESSL issued, this is a Comodo Reseller, can now be obtained by the following ways:

Go to namecheap.com Register, transfer a domain name or buy a space can be obtained, and is free for a year Oh!

Note that the certificate issued after NAMECHEAP registration does not have the certificate authority's POSITIVESSLCA.CRT, here I put one, for everyone installation convenience:
-----BEGIN CERTIFICATE-----
Miifazcca+ugawibagiqtm1kmltfeygmz5aviytrctanbgkqhkig9w0baqufadcb
Lzelmakga1uebhmcvvmxczajbgnvbagtalvumrcwfqydvqqhew5tywx0iexha2ug
Q2l0eteembwga1uechmvvghlifvtrvjuulvtvcbozxr3b3jrmsewhwydvqqlexho
Dhrwoi8vd3d3lnvzzxj0cnvzdc5jb20xhzadbgnvbamtflvuti1vu0vsrmlyc3qt
Sgfyzhdhcmuwhhcnmdywote4mdawmdawwhcnmjawntmwmta0odm4wjbxmqswcqyd
Vqqgewjhqjebmbkga1uecbmsr3jlyxrlcibnyw5jagvzdgvymrawdgydvqqhewdt
ywxmb3jkmrowgaydvqqkexfdb21vzg8gq0egtgltaxrlzdexmbuga1ueaxmoug9z
Axrpdmvtu0wgq0ewggeima0gcsqgsib3dqebaquaa4ibdwawggekaoibaqc9t3ly
Ippjkd5seqavwkkgitctvr4q57h/4oyqpoxe6esswjzudfmxukgefzfv78luacay
Rymm3ydmpbohezekivx5g3mrjbvcvvc0lzih2tib6ha1y7ewwvp5peba8c4kugke
Jotek1qwoopq6yj7kcpnmpxit4o2h65pxci12f2+p9gnncysew3aacezcpopabuw
pbdf6wkahd9u7/zjlbthxrhm9/lx9uljah4sdt6nfqdkoj32cuh5jayifverip9w
xgkxwfqcbwi0kyhimpfqhaysexjbnmbhqhslewln8qntul2piddi2l8dm53x5gv+
Wmpsqo0hgoqodvmdagmbaagjggfumiibajafbgnvhsmegdawgbshcl8mgyiyq5vd
bzfvhzads9ldrtadbgnvhq4efgquumor6qyxedvdlmbogsq8uzuwmaqwdgydvr0p
Aqh/baqdagegmbiga1udeweb/wqimaybaf8caqewewydvr0fbhqwcja4odagniyy
ahr0cdovl2nybc5jb21vzg9jys5jb20vvvrolvvtrvjgaxjzdc1iyxjkd2fyzs5j
Cmwwnqa0odkgmgh0dha6ly9jcmwuy29tb2rvlm5ldc9vve4tvvnfukzpcnn0luhh
cmr3yxjllmnybdcbhgyikwybbquhaqeeejb4mdsgccsgaqufbzachi9odhrwoi8v
Y3j0lmnvbw9kb2nhlmnvbs9vve5bzgrucnvzdfnlcnzlcknblmnydda5bggrbgef
Bqcwaoytahr0cdovl2nydc5jb21vzg8ubmv0l1vutkfkzfrydxn0u2vydmvyq0eu
Y3j0ma0gcsqgsib3dqebbquaa4ibaqadtof5gehd7fpawx3jt++gfclse0kwdtgm
Mvzn2odkjq8sfqralziaoz4hzaoxw5v+qbz9fgkggm2smexq8raeisy9wygn6oj5
Qz2qpmuz8ozfifmvbrflqnkfp05jfdbdx4/oil9lbeauttf37r0qhujop2ot2muz
Jgfibfzkhwadtjjnn0ijf9dfqwp2bnstuy9u3mi+6vhyntjzf/tqkvcl/w8nijyu
Zg5g8t6p2jt9hpos/pqykw+rar+lqi/jjjkfxbkqdlnioeesdjblu30fko5wpa8y
Z0nf1r7cqjgrteedguwurmlvygpui3tbmfymyb95hlcptqnjuhvi
-----END CERTIFICATE-----

You can also try Startssl certificate, the disadvantage is that in the old computer, no update, IE 6 is absolutely not trust him, see: http://blog.s135.com/startssl/

Finally, the trusted SSL certificate must have a separate IP, or say, an IP can only correspond to a domain name of the certificate, love to play friends can get a play.

How to configure SSL certificate under Nginx

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.