Nginx + HTTPS + Free SSL certificate configuration Guide

Source: Internet
Author: User
Tags openssl openssl rsa openssl x509 free ssl free ssl certificate ssl certificate nginx ssl microsoft patch

Please refer to Nginx Wiki http://wiki.nginx.org/NginxHttpSslModule

Generate Certificate $ cd/usr/local/nginx/conf
$ OpenSSL genrsa-des3-out server.key 1024
$ OpenSSL req-new-key server.key-out SERVER.CSR
$ CP Server.key server.key.org
$ OpenSSL rsa-in server.key.org-out Server.key
$ OpenSSL x509-req-days 365-in server.csr-signkey server.key-out server.crt

Edit Nginx.conf Server {
server_name your_domainname_here;
Listen 443;
SSL on;
SSL_CERTIFICATE/USR/LOCAL/NGINX/CONF/SERVER.CRT;
Ssl_certificate_key/usr/local/nginx/conf/server.key;
}

OK, it's done. But this certificate is not trusted, play it yourself, to be trusted please see below.

The following content is reproduced from
Http://goo.gl/YOb5
Http://goo.gl/Gftj

HTTPS (full name: Hypertext Transfer Protocol over secure Socket Layer), is a security-targeted HTTP channel, simply speaking, the secure version of HTTP. That is, HTTP to add SSL layer, HTTPS security based on SSL, so the details of the encryption see SSL.

It is a URI scheme (abstract identifier system), syntax similar to http: System. Used for secure HTTP data transfer. Https:url indicates that it uses HTTP, but HTTPS has a default port that differs from HTTP and an encryption/authentication layer (between HTTP and TCP). The system, initially developed by Netscape, provides authentication and encryption methods, and is now widely used in security-sensitive communications on the World Wide Web, such as transaction payments.

1. Issuing SSL certificates that are not trusted by the browser:
The SSL certificate for HTTPS can be issued by itself, and the issuing steps under Linux are as follows: OpenSSL genrsa-des3-out Api.bz.key 1024
OpenSSL Req-new-key api.bz.key-out API.BZ.CSR
OpenSSL rsa-in api.bz.key-out Api.bz_nopass.key

nginx.conf SSL certificate configuration, using Api.bz_nopass.key, in the boot Nginx is not required to enter the SSL certificate password, and the use of Api.bz.key need to enter a password: server {
server_name sms.api.bz;
Listen 443;
Index index.html index.htm index.php;
root/data0/htdocs/api.bz;
SSL on;
Ssl_certificate API.BZ.CRT;
Ssl_certificate_key Api.bz_nopass.key;
......
}

The self issued SSL certificate, while enabling encrypted transport, does not have the trust of the browser, the following prompts appear:

2, browser-trusted STARTSSL free SSL Certificate:
Like VeriSign, Startssl (Web site: http://www.startssl.com, company name: startcom) is also a CA, its root certificate long ago by some open source background browser support (Firefox browser, Google Chrome browser, Apple Safari browser, etc.).

In September of this year, Startssl the Microsoft: Microsoft in the upgrade patch, updated the Windows root certification program (Windows roots certificate programs) vendor list, and for the first time StartCom company included in the certification list , this is the first time that Microsoft will provide free digital verification technology vendors to join the root certificate certification list. Now, in Windows 7 or Windows Vista or Windows XP operating system with upgraded patches, the system will fully trust digital certificates certified by startcom, a free digital certification authority, so that STARTSSL is supported by IE.

After registering as a Startssl (http://www.startssl.com) user, and after verifying the message, you can apply for a free, trusted SSL certificate. The steps are more complex and are not covered in detail, and the main steps of the Request Wizard are as follows:

Startssl was supported in the September Microsoft Patch Update, making the STARTSSL certificate recognized.

The application process is as follows startssl.com

My environment is Windows 7

Do not use chrome and IE8, or you will not be able to generate key and cannot request success. It is recommended to use Firefox.

In addition I had a bit of an accident and I used the mobile network to be misjudged as Australia's IP and received an email asking for an explanation.

I will apnic query address and query results sent to each other account to apply for success.

Control panel/sign-up pay attention to fill in the correct information. Copy the authentication code after receiving the message. You can then generate a certificate, noting that startssl.com does not authenticate users with a user name, password, or certificate to authenticate the user.

So after generating the certificate (Firefox will import the certificate), be careful to back up the certificate. You can only re-register after you lose a certificate.

After logging in to verify the domain name to generate an SSL certificate for the domain name, you can choose the mailbox in Whois, Hostmaster@domain, postmaster@domain or Webmaster@domain

You can then apply for an SSL certificate in Certificates Wizard.

Valid for one year.

======2009/11/26 update===========

Toolbox

When you apply the private key to decrypt private key, and then save the generated key.

Then in Retieve certificate Select the domain name you are applying for, you can get the CER file, save it, and put it in the Nginx's conf directory.

In Nginx. Configure server {
server_name security.meettea.com;
Listen 443;
Index index.html index.htm index.php;
root/data0/htdocs/security.meettea.com;
SSL on;
Ssl_certificate Security.cer;
Ssl_certificate_key Security.key;
}

Nginx-s Reload If there is no hint, the configuration is successful.

Unfortunately, the firefox3.5 test does not trust the Class 1 certificate.

==============2009/11/26 update===================

In STARTSSL forum See official officials said firefox3.5 not supported because there is no configuration good. The configuration solves the problem that Firefox 3.5 does not trust the certificate, and Ubuntu Studio tests it through.

The steps are: Get Https://www.startssl.com/certs/ca.pem

Get Https://www.startssl.com/certs/sub.class1.server.ca.pem

Cat Ca.pem Sub.class1.server.ca.pem >> CA-CERTS.CRT

Cat Ca-certs.crt >> Security.cer

This is because you need to attach the Startssl root certificate and sub Class1 certificate, because they are the certificate issued to you, Firefox needs this certificate to know your certificate. :)

In addition Opera test failed, this point, even startssl.com himself have not been opera through. Incoming search terms: nginx HTTPS nginx SSL Nginx_https free SSL certificate Configuration Guide HTTPS nginx nginx SSL configuration Startssl HTTPS Nginx HTTPS configuration CentOS nginx HTTPS nginx SSL configuration

Tags: https, Nginx, SSL, Startssl

This article address: http://www.21andy.com/new/20100224/1714.html

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.