How to configure an SSL Certificate in nginx

1. Configure the SSL module for nginx
Nginx does not have an SSL module by default, while nginx 0.7.63 is installed in my VPs by default. The following describes how to upgrade nginx to 0.7.64 and configure the SSL module:
Download nginx 0.7.64 and decompress it to the decompressed directory: CopyCode The Code is as follows: wget http://sysoev.ru/nginx/nginx-0.7.64.tar.gz
Tar zxvf nginx-0.7.64.tar.gz
CD nginx-0.7.64

If you want to change the header information,Copy codeThe Code is as follows: VI src/CORE/nginx. h
# Define nginx_version "0.7.62"
# Define nginx_ver "nginx/" nginx_version

Modify the above version and nginx by yourself
Compile
[Code]
./Configure -- user = WWW -- group = WWW -- prefix =/usr/local/nginx -- with-http_stub_status_module -- with-http_ssl_module
Make
Make
Do not make install

Because it is a small website and does not need to be upgraded smoothly, killall-hup nginx can be restarted directly.
OK. After upgrading and installing the SSL module, I changed nginx to zoulu:

How about it? It has a personality!

2. Use OpenSSL to generate a certificate

① Generation of RSA keys
OpenSSL genrsa-out privkey. pem 2048

Some certificates require 1024, so you must:
OpenSSL genrsa-out privkey. pem 1024

② Generate a certificate request
OpenSSL req-New-key privkey. pem-out cert. CSR

Will prompt to enter the province, city, domain name information, etc., it is important that email must be your domain name suffix, such as webmaster@zou.lu and can accept the mail!

In this way, there is a CSR file, which is the CSR file when it is submitted to the SSL provider.

(Source: http://www.lsproc.com/blog/nginx_ssl_config)

Direct cat cert. CSR

Get a large string of characters, such:
----- Begin certificate request -----
Miibstc?caqawctelmakga1uebhmcq04xczajbgnvbagtakhcmqwwcgydvqqh
Ewntsloxdzanbgnvbaotbkzhbmzvdtesmbaga1ueaxmjzzfuzm91lmrlmsiwiayj
Bytes
A4gnadcbiqkbgqc5l4pmzg6tcipduefxq5gslxn1jeqdbmus + peapehmnoxe + r4k
Vkqujzlj5o3ltqgjzyrcifru8nryqsxat/5ijefws7nimsx8kpkqq71bjazsizj +
Cdld1_j1m/srjtsnrfyj4rffs1fxq7uedyreux7fyaljx70jpssgbogwrqidaqab
Bytes
Fcwqyhpzwkupp3wfubhy80iwtfjlgltsynze7fzlv1_nfklnaylyewdy7nukjny
Pcbyqpjjxdal3jcun0nlltsxtqpr + ab8va/bao5hp9h1rpsrttdsjd2fc/owrv1
Bfrujna =
----- End certificate request -----

You can submit the certificate to your SSL provider. Generally, the certificate will be sent to you in half an hour to one day,

Upload All files to a specific directory. For example, if I upload all files to/root/zoulu/

Here, zoulukey. PEM and zoulucert. CSR are generated in VPS, and the rest are issued by the certificate issuing authority.

Generally, you can directly use the CRT file issued by the certificate issuing authority, such as zou_lu.crt. However, many certificate issuing authority do not trust it by default in the Firefox Chinese version. After careful research, finally, we found that we had to put the certificate issuing authority into your CRT file.

The method is as follows:

Merge positivesslca. CRT (Certificate Authority CRT) and zou_lu.crt (self-domain CRT)

Cat zou_lu.crt> positivesslca. CRT

MV positivesslca. CRT zou_lu.crt

Alternatively, open it directly in notepad, and copy all the content in positivesslca. CRT to the bottom of zou_lu.crt.

(Source: http://www.lsproc.com/blog/nginx_ssl_config)

③ Modify nginx Configuration

Listen 443;
SERVER_NAME Zou. Lu;
Index index.html index.htm index. php;
Root/home/zoulu;
Error_page 404 403 http://zou.lu;

SSL on;
Ssl_certificate/root/zoulu/zou_lu.crt;
Ssl_certificate_key/root/zoulu/zoulukey. pem;

Other configuration information is the same as that of a common site.
Iv. Access test results

In Firefox English version/Chrome/Opera/Safari/IE 6, 7, 8 under all no problem, https://zou.lu/in Firefox 3.5.7 Chinese Version no problem, encountered problems with children's shoes, check your system time. If you still don't trust it, I am not very clear. Sorry, the capability is limited.
5. How to obtain a free certificate

The https://zou.lu/certificate is issued by positivessl, A comodo reseller and can be obtained through:

Register at namecheap.com, transfer a domain name, or purchase a space. It is free for one year!

Note that the certificate issued after namecheap registration does not have the positivesslca. CRT of the certificate issuing authority. Here I will put one for your convenience:
----- Begin certificate -----
Miifazcca + ugawibagiqtm1kmltfeygmz5aviytrctanbgkqhkig9w0baqufadcb
Lzelmakga1uebhmcvvmxczajbgnvbagtalvumrcwfqydvqqhew5tywx0iexha2ug
Q2l0eteembwga1uechmvvghlifvtrvjuulvtvcbozxr3b3jrmsewhwydvqqlexho
Bytes
Sgfyzhdhcmuwhhcnmdywote4mdawmdawwhcnmjawnmwmta0odm4wjbxmqswcqyd
Bytes
Bytes
Bytes
Ippjkd5seqavwkkgitctvr4q57h/4oyqpoxe6esswjzudfmxukgefzfv78luacay
Bytes
Jotek1qwoopq6yj7kcpnmpxit4o2h65pxci12f2 + p9gnncysew3aacezcpopabuw
Pbdf6wkahd9u7/zjlbthxrhm9/lx9uljah4sdt6nfqdkoj32cuh5jayifverip9w
Xgkxwfqcbwi0kyhimpfqhaysexjbnmbhqhslewln8qntul2piddi2l8dm53x5gv +
Bytes
Bytes
Aqh/baqdagegmbiga1udeweb/wqimaybaf8caqewewydvr0fbhqwcja4odagniyy
Bytes
Bytes
Bytes
Bytes
Bytes
Y3j0ma0gcsqgsib3dqebbquaa4ibaqadtof5gehd7fpawx3jt ++ gfclse0kwdtgm
Mvzn2odkjq8sfqralziaoz4hzaoxw5v + qbz9fgkggm2smexq8raeisy9wygn6oj5
Qz2qpmuz8oz1_mvbrflqnkfp05jfdbdx4/oil9lbeauttf37r0qhujop2ot2muz
Jgfibfzkhwadtjjnn0ijf9dfqwp2bnstuy9u3mi + 6 vhyntjzf/tqkvcl/w8nijyu
Zg5g8t6p2jt9hpos/pqykw + RAR + lqi/jjjkfxbkqdlnioeesdjblu30fko5wpa8y
Z0nf1r7cqjgrteedguwurmlvygpui3tbmfymyb95hlcptqnjuhvi
----- End certificate -----

You can also try startssl certificate, the disadvantage is in the old computer, without updating the case, ie 6 is absolutely do not trust him, see: http://blog.s135.com/startssl/

Finally, it should be declared that a trusted SSL certificate must have an independent IP address, or that an IP address can only correspond to a certificate for one domain name. You can have fun with your friends.