Nginx Configure SSL Certificate + method to build HTTPS Web site

Source: Internet
Author: User
Tags dot net join openssl ssl certificate nginx ssl

First, what is HTTPS?

According to Wikipedia's explanation:

Hypertext Transfer Security Protocol (abbreviation: HTTPS, English: Hypertext Transfer Protocol Secure) is a combination of Hypertext Transfer Protocol and SSL/TLS to provide encrypted communication and identification of network server identities. HTTPS connections are often used for transaction payments on the World Wide Web and for the transmission of sensitive information in enterprise information systems. HTTPS should not be mixed with the Secure Hypertext Transfer Protocol (S-HTTP) defined in RFC 2660.
HTTPS is now the first choice for all privacy and security sites, with the continuous development of technology, HTTPS site is no longer a large site patents, all ordinary personal webmaster and blog can build a secure encrypted website.

If a Web site is not encrypted, then all your account passwords are in clear text transmission. It is conceivable that if the privacy and financial issues involved, unencrypted transmission is a terrible thing.

Since the readers of this blog are close to the professionals, we no longer have to waste more words, directly into the business.

Ii. using OpenSSL to generate SSL Key and CSR

Because only the browser or the system trusted CA can let all visitors unobstructed access to your encrypted Web site, rather than appear the certificate error prompts. So we skip the steps from the visa book and start by signing the SSL certificate that the third party can trust.

OpenSSL is installed by default in conventional systems such as Linux, OS X, and because of some security issues, the current Third-party SSL certification authorities require a minimum of 2048-bit RSA encrypted private keys.

At the same time, the common SSL certificate authentication is divided into two forms, one is DV (domain validated), there is a OV (organization validated), the former only need to verify the domain name, the latter need to verify your organization or company, in terms of security, The latter must be better.

Whether you use DV or OV to generate the private key, you need to fill out some basic information, here we assume the following:

Domain name, also known as Common name, because a special certificate is not necessarily a domain name:

Organization or company name (organization): Example, Inc.

Department (Department): Can not fill in, here we write Web security

City: Beijing

Province (state/province): Beijing

Country (Country): CN

Encryption strength: 2048-bit, if your machine performance is strong, you can choose 4,096-bit

According to the above information, the command to generate key and CSR using OpenSSL is as follows

OpenSSL req-new-newkey rsa:2048-sha256-nodes-out example_com.csr-keyout example_com.key-subj "/C=CN/ST=Beijing/L=Be Ijing/o=example inc./ou=web security/ "
PS: If it is a generic domain name certificate, you should fill in the *

You can run this command anywhere in the system and automatically generate EXAMPLE_COM.CSR and example_com.key two files in the current directory

Next you can look at the EXAMPLE_COM.CSR and get a long string of text like this

-----BEGIN Certificate REQUEST-----
-----End Certificate REQUEST-----

This CSR file is what you need to submit to the SSL certification authority, and when your domain name or organization is validated, the certification authority will issue you with a EXAMPLE_COM.CRT

And Example_com.key is to be used in Nginx configuration and EXAMPLE_COM.CRT with the use of, need to take good care of, do not leak to any third party.

Third, Nginx configure HTTPS Web site and increase security configuration

As mentioned earlier, you will need to submit a CSR file to a third party SSL certification authority, after certification, they will issue you a CRT file, we named EXAMPLE_COM.CRT

Also, for the sake of unification, you can move all three files to the/etc/ssl/private/directory.

You can then modify the Nginx configuration file

server {
Listen 80;
Listen [::]:80 SSL Ipv6only=on;
Listen 443 SSL;
Listen [::]:443 SSL Ipv6only=on;

SSL on;

Check the configuration file and reread the Nginx.

Nginx-t && Nginx-s Reload

But this is not safe, the default is SHA-1 form, and now the mainstream of the scheme should be avoided SHA-1, in order to ensure greater security, we can take the Diffie–hellman-Herman key Exchange

First, enter the/etc/ssl/certs directory and generate a DHPARAM.PEM

OpenSSL dhparam-out DHPARAM.PEM 2048 # If your machine is strong enough, you can use 4,096-bit encryption.

After the build is completed, add the following Nginx SSL configuration

        ssl_prefer_server_ciphers on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers "EECDH+ECDSA+AESGCM eecdh+arsa+aesgcm eecdh+ecdsa+ SHA384 eecdh+ecdsa+sha256 eecdh+arsa+sha384 eecdh+arsa+sha256 eecdh+arsa+rc4 eecdh edh+arsa!aNULL!eNULL! Low!3des! MD5! Exp! Psk! The SRP! Dss! RC4 ";
        keepalive_timeout 70;
        Ssl_session_cache shared:ssl:10m;
        ssl_session_timeout 10m;
at the same time, if you are all-station HTTPS and do not consider HTTP, you can join HSTs to tell your browser this site full station encryption, and forced to use HTTPS access

Add_header strict-transport-security max-age=63072000;
Add_header x-frame-options DENY;
Add_header x-content-type-options Nosniff;
At the same time can also open a separate Nginx configuration, HTTP access requests are 301 to the HTTPS

server {
Listen 80;
Listen [::]:80 Ipv6only=on;
return to Https://$request_uri;

Four, reliable Third-party SSL issuing agency

As we all know, some NIC agencies have burst into a scandal over the issuance of certificates for Google domain names, so it is important to select a reliable Third-party SSL issuer.

At present, the general market for small and medium-sized owners and enterprises of the SSL certification authorities are:


Comodo/Sub-brand Positive SSL

GlobalSign/Sub Brand Alphassl

GeoTrust/Sub Brand RapidSSL

Which Postivie SSL, Alphassl, RAPIDSSL, etc. are sub brands, are generally three level four certificate, so you will need to increase the CA certificate chain to your CRT file.

Take Comodo Positive SSL For example, you need to concatenate CA certificates, assuming your domain name is

So, the concatenation of the commands is

Cat Example_com.crt comodorsadomainvalidationsecureserverca.crt COMODORSAADDTRUSTCA.CRT ADDTRUSTEXTERNALCAROOT.CRT > EXAMPLE_COM.SIGNED.CRT

Use EXAMPLE_COM.SIGNED.CRT in Nginx configuration

If it is a common aplhassl generic domain name certificate, they are not sent to you CA certificate chain, then you need to join the Alphassl CA certificate chain after your CRT file

Alphassl Intermediate CA

Five, EV SSL for the Enterprise

EV SSL, the abbreviation of Extended Validation, is more focused on the security of corporate websites and strict certification.

The most obvious difference is that usually the EV SSL display is a green bar, such as the SSL certificate for this site is EV SSL.

If you would like to obtain professional EV SSL, you can always contact us at cat Dot net

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.