Nginx Configure SSL certificate + Build HTTPS website tutorial

Source: Internet
Author: User
Tags ssl certificate nginx ssl

First, what is HTTPS?

According to Wikipedia's explanation:

Hypertext Transfer Security Protocol (abbreviated: HTTPS, English: Hypertext Transfer Protocol Secure) is a combination of Hypertext Transfer Protocol and SSL/TLS to provide encrypted communication and authentication of network server identities. HTTPS connections are often used for transactional payments on the World Wide Web and for the transmission of sensitive information in enterprise information systems. HTTPS should not be mixed with the Secure Hypertext Transfer Protocol (S-HTTP) defined in RFC 2660.

HTTPS is now the first choice for all privacy and security-oriented sites, with the continuous development of technology, HTTPS website is no longer a large website patent, all ordinary personal webmaster and blog can build a secure encrypted website.

If a website is not encrypted, all your account passwords are transmitted in clear text. It is conceivable that if it comes to privacy and financial issues, unencrypted transmissions are a horrible thing.

Since the readers of this blog are close to the professionals, we don't have to bother to go straight to the chase.

Ii. using OpenSSL to generate SSL Key and CSR

Because only the browser or the system trusted CA can let all visitors unobstructed access to your encrypted site, rather than a certificate error prompts. So we skip the steps from the visa book and start signing up for a third-party trusted SSL certificate.

OpenSSL is installed by default on Linux, OS X, and other conventional systems, because of some security issues, typically the current third-party SSL certificate Authority requires at least 2048 bits of RSA encrypted private key.

At the same time, the common SSL certificate authentication in two forms, one is DV (domain Validated), and the other is OV (Organization Validated), the former only need to verify the domain name, the latter need to verify your organization or company, in terms of security, Certainly the latter is better.

Whether you use DV or OV to generate the private key, you need to fill in some basic information, here we assume the following:

Domain name, also known as Common name, because a special certificate is not necessarily a domain name:

Organization or company name (Organization): Example, Inc.

Department (Department): Can not fill, here we write Web Security

City: Beijing

Province (state/province): Beijing

Country (country): CN

Encryption strength: 2048-bit, if your machine performance is strong, you can choose 4,096-bit

Following the above information, the commands to generate key and CSR using OpenSSL are as follows

" /c=cn/st=beijing/l=beijing/o=example inc./ou=web security/ "

PS: If it is a generic domain name certificate, you should fill in *

You can run this command from anywhere in the system and automatically generate EXAMPLE_COM.CSR and example_com.key two files in the current directory

Next you can look at EXAMPLE_COM.CSR and get a long string of text like this

-----BEGIN CERTIFICATE REQUEST-----Miicujccaaicaqawdtelmakga1uebhmcq04xedaobgnvbagtb0jlawppbmcxedao  Bgnvbactb0jlawppbmcxftatbgnvbaotdev4yw1wbgugsw5jljevmbmga1uecxmm V2VIIFNLY3VYAXR5MRQWEGYDVQQDEWTLEGFTCGXLLMNVBTCCASIWDQYJKOZIHVCN AQEBBQADGGEPADCCAQOCGGEBAPME+nvvcdgn9vwn+VP7JKMOODPOURYMPVCLIBSI ID7MGN982OCL22O9WCV/4tl6dptcxfnx+ewd7cnekt4i+jygqllqp3/Cojhkemiy sf3jwncvp6vost/HSZEMYNB71XWYNXFCGQSYE3QJXMQ9AE38H2LIPCLLFD1L7IVP Ax4i2+hvgthfzb0xnmmlzq4hyvueimoywizx8hq+kweahkpbdfawkocirkbolfew sejlyhy+Nruxutmqx1d7lzzcxut5sm5at9al0bf5foaajyltewnepfkp3l29gtou QG1T9Q8WUFIFK9VXQQQWG8J1MUK7KKSNBYCOPNNGPX36KZSCAWEAAAAAMA0GCSQG sib3dqebbquaa4ibaqchgiuhpcgrsnwduw6731/devwq2x3zrqrbuj9/M8oonqen 1QIacBifEMr+ma+c+wipt3bhvtxef8ccajar9sq4svy7m0w25dwrwawijxcf/j8u audl/029ckauewfcdbiltraaedqxsasuyibigtit+uqi+epgg4olykk/MF13FXDJ/okyrsjdtp1xr9r7iqgcs/zl5qwmdaln7/qxbk6vx2r/HLHOK0AKI1ZQ4CZEP7MR8EZJDIAKO87NB/aisfykrt6ze3jof0/vnnpw7pmvhq+FOLWDTVXDDJD9DPR2X1NC y5hnop4k6kvrxdjq4otduqq4p+szu4hb41giqez4-----END CERTIFICATE REQUEST-----

This CSR file is what you need to submit to the SSL certification authority, and when your domain name or organization is verified, the certification authority will issue you a EXAMPLE_COM.CRT

and Example_com.key need to use in the Nginx configuration and EXAMPLE_COM.CRT in conjunction with the need for safekeeping, do not disclose to any third party.

Third, Nginx configuration HTTPS website and increase the security configuration

As mentioned earlier, you need to submit a CSR file to a third-party SSL certification Authority, after certification, they will issue you a CRT file, which we named EXAMPLE_COM.CRT

Also, for the sake of unification, you can move all three files to the/etc/ssl/private/directory.

You can then modify the Nginx configuration file

server {      a;    Listen [::]:SSL ipv6only= on;      443 SSL;    Listen [::]:443 SSL ipv6only= on;    server_name;    SSL on;     /etc/ssl/private/example_com.crt;     /etc/ssl/private/Example_com.key;}

Detect the configuration file and re-read the Nginx.

Nginx-t && Nginx-s Reload

But this is not safe, the default is SHA-1 form, and now the mainstream solution should be avoided SHA-1, in order to ensure stronger security, we can take Deffee-Herman key Exchange

First, enter the/etc/ssl/certs directory and generate a DHPARAM.PEM

cd/etc/ssl/certs  #  If your machine performance is strong enough, you can use 4,096-bit encryption

After the build is complete, add the following in the Nginx SSL configuration

ssl_prefer_server_ciphers on;         /etc/ssl/certs/Dhparam.pem;        Ssl_protocols TLSv1 TLSv1. 1 TLSv1.2;         " eecdh+ecdsa+aesgcm eecdh+arsa+aesgcm eecdh+ecdsa+sha384 eecdh+ecdsa+sha256 eecdh+arsa+sha384 EECDH+aRSA+SHA256 EECDH+ARSA+RC4 EECDH edh+arsa!anull!enull! Low!3des! MD5! Exp! Psk! SRP! Dss! RC4";         ;        Ssl_session_cache shared:ssl:10m;        Ssl_session_timeout 10m;

At the same time, if it is the whole station HTTPS and do not consider HTTP, you can join HSTS to tell your browser this website full station encryption, and forced to use HTTPS access

Add_header strict-transport-security max-age=63072000;        Add_header X-frame-Options DENY;        Add_header X-content-type-options Nosniff;

At the same time can also open a single Nginx configuration, HTTP access requests are used 301 to jump to HTTPS

server {          a;        Listen [::]:SSL ipv6only= on;        server_name;         return 301$request_uri;}

Iv. reliable third-party SSL issuing authority

As we all know, a NIC agency has had a scandal about issuing a certificate for Google domain names, so it's important to choose a reliable third-party SSL issuing agency.

At present, the general market for small and medium-sized webmaster and Enterprise SSL certification authorities are:


Comodo/Sub-brand Positive SSL

GlobalSign/Sub-brand Alphassl

GeoTrust/Sub-brand RapidSSL

Which Postivie SSL, Alphassl, RAPIDSSL, etc. are sub-brand, is generally three level four certificate, so you will need to increase the CA certificate chain into your CRT files.

Take Comodo Positive SSL as an example, you need to concatenate the CA certificate, assuming your domain name is

Then, the concatenation command is

Cat Example_com.crt comodorsadomainvalidationsecureserverca.crt COMODORSAADDTRUSTCA.CRT ADDTRUSTEXTERNALCAROOT.CRT > EXAMPLE_COM.SIGNED.CRT


Use EXAMPLE_COM.SIGNED.CRT in Nginx configuration

If it is common aplhassl generic domain name certificate, they will not send you the CA certificate chain, then you need to join the Alphassl CA certificate chain after your CRT file

Alphassl Intermediate CA

Nginx Configure SSL certificate + Build HTTPS website tutorial

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.