Install SSL/TLS Certificates in Nginx Web Server

In this article, you will learn how to generate and install SSL/TLS certificates in Nginx web server.

This article has two sections, one is about configuration of self-signed SSL/TLS certificates and the other is about installation of CA signed SSL/TLS certificates on Nginx web server.

We have been writing many articles on Nginx web server since a long time. But we usually configure the Nginx web sites in plain text i.e. HTTP. It is because, we do not want to divert the focus of the readers from the main topic of that article.

Besides that, we always recommend system administrators to configure their web sites in HTTPS, especially those with an authentication system or a login form.

For this reason, we are now writing a separate article on installation of SSL/TLS certificates in Nginx web server. You may also find a similar article at our Blog on how to install SSL/TLS certificates on Apache web server.

 

Table of Contents:

• What is a SSL/TLS Certificate?
• Environment Specification
• Install Nginx Web Server on CentOS 8
• Install a Self-Signed SSL/TLS Certificate in Nginx
• Install a CA Signed SSL/TLS Certificate in Nginx
• Conclusion

 

What is a SSL/TLS Certificate? :

SSL Stands for Secure Socket Layer. It is a global standard security technology that enables encrypted communication between a web browser and a web server.

TLS stands for Transport Layer Security. It is the successor of SSL and it is more secure and updated variant of this protocol.

Millions of web sites and web applications uses SSL/TLS certificates in order to keep user data secure, verify ownership of the website, prevent attackers from creating a fake version of the site, and gain user trust.

We recommend a very good book for the readers of this article, Bulletproof SSL and TLS by Ivan Ristic for understanding and deploying SSL/TLS and PKI to secure servers and web applications.

 

Environment Specification:

We are using a minimal CentOS 8 KVM guest with following specification.

• CPU - 3.4 Ghz (2 cores)
• Memory - 2 GB
• Storage - 20 GB
• Operating System – CentOS Linux 8.2
• Hostname – nginx-01.centlinux.com
• IP Address - 192.168.116.206 /24

 

Install Nginx Web Server on CentOS 8:

First of all, you need to install Nginx web server on your Linux operating system. You are required to have a working instance of Nginx web server, so you can convert the existing websites from HTTP to HTTPS by means of a SSL/TLS certificate.

Connect with nginx-01.centlinux.com as root user by using a SSH client.

Verify the Linux operating system and kernel version.

# uname -a
Linux nginx-01.centlinux.com 4.18.0-193.6.3.el8_2.x86_64 #1 SMP Wed Jun 10 11:09:32 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

# cat /etc/redhat-release
CentOS Linux release 8.2.2004 (Core)

Here, we are using a CentOS Linux 8.2 operating system. But the steps you will performed are almost same for other platforms.

In CentOS / RHEL 8, Nginx is provided in the form of modules in the default yum repositories. List down the available versions of modules.

# dnf module list nginx
Last metadata expiration check: 0:06:07 ago on Sun 19 Jul 2020 08:50:14 PM PKT.
CentOS-8 - AppStream
Name            Stream             Profiles             Summary
nginx           1.14 [d]           common [d]           nginx webserver
nginx           1.16               common [d]           nginx webserver

Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled

Install the default version of Nginx web server by using dnf command.

# dnf module install nginx

Enable and start nginx.service.

# systemctl enable --now nginx.service
Created symlink /etc/systemd/system/multi-user.target.wants/nginx.service â /usr/lib/systemd/system/nginx.service.

Allow HTTP and HTTPS services in Linux firewall.

# firewall-cmd --permanent --add-service={http,https}
success
# firewall-cmd --reload
success

Open URL http://nginx-01.centlinux.com in a web browser.

Your Nginx web server has been installed successfully.

 

Install a Self-Signed SSL/TLS Certificate in Nginx:

You can use self-signed SSL/TLS certificates for you Nginx websites, if you are hosting a website in a network, where the users are well aware about the authenticity of your website. Or you do not have configured a certificate authority for your network.

A self-signed SSL/TLS certificate is one which is not signed by a Certificate Authority (CA). These type of security certificates are easy to generate and do not cost money.

Create nginx directory in /etc/pki to store SSL/TLS certificate and private key.

# mkdir -p /etc/pki/nginx/private

Generate a private key and SSL/TLS certificate by using openssl command.

Openssl package is by default installed on a minimal CentOS / RHEL 8 operating system. But in case, you may not found it on your Linux server then you can to install openssl package by using dnf command.

# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/nginx/private/nginx-01.key -out /etc/pki/nginx/nginx-01.crt
Generating a RSA private key
................................+++++
.+++++
writing new private key to '/etc/pki/nginx/private/nginx-01.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:PK
State or Province Name (full name) []:Sindh
Locality Name (eg, city) [Default City]:Karachi
Organization Name (eg, company) [Default Company Ltd]:CentLinux
Organizational Unit Name (eg, section) []:IT Lab
Common Name (eg, your name or your server's hostname) []:nginx-01.centlinux.com
Email Address []:ahmer@nginx-01.centlinux.com

Edit Nginx configuration files and add a server block to enable HTTPS for your website.

# vi /etc/nginx/nginx.conf

Nginx configuration file already contain a server block for HTTPS, but these directives have been commented by default.

Uncomment following lines therein and update the paths of ssl_certificate and ssl_certificate_key.

# Settings for a TLS enabled server.

    server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  _;
        root         /usr/share/nginx/html;

        ssl_certificate "/etc/pki/nginx/nginx-01.crt";
        ssl_certificate_key "/etc/pki/nginx/private/nginx-01.key";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_ciphers PROFILE=SYSTEM;
        ssl_prefer_server_ciphers on;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

}

Restart nginx.service to apply the changes.

# systemctl restart nginx.service

Open URL https://nginx-01.centlinux.com in a web browser. The web browser will will give you a warning about security certificate of the website. Ignore it and continue to your website.

 

Install a CA Signed SSL/TLS Certificate in Nginx:

Just like we used a self-signed SSL/TLS certificate above, anyone can generate and use a security certificate for their websites. Thus raises a big question mark on the authenticity of thoset websites.

Therefore, to ensure the authenticity of a SSL/TLS certificate and a website, you are required to digitally signed your security certificate by a Global Certificate Authority.

Authenticity of that Global Certificate Authority (CA) is also ensured by a SSL/TLS certificate (known as rootCA certificate) which are by default installed in all famous web browsers.

To get your SSL/TLS certificate signed by a certificate authority (CA). You need to generate and send a Certificate Signing Request (CSR) to that CA.

But before generating a CSR, you are required a private key for encryption. Therefore, you should generate a private key by using the openssl command.

# openssl genrsa -out /etc/pki/nginx/private/nginx-01.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.......................................................................................+++++
..................+++++
e is 65537 (0x010001)

Now, generate a CSR by using the above private key.

# openssl req -new -key /etc/pki/nginx/private/nginx-01.key -out /etc/pki/nginx/nginx-01.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:PK
State or Province Name (full name) []:Sindh
Locality Name (eg, city) [Default City]:Karachi
Organization Name (eg, company) [Default Company Ltd]:CentLinux
Organizational Unit Name (eg, section) []:IT Lab
Common Name (eg, your name or your server's hostname) []:nginx-01.centlinux.com
Email Address []:ahmer@nginx-01.centlinux.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Send this CSR to the CA by using email, or any other communication medium.

CA will then digitally signed the CSR and will send back two files.

• A digitally signed SSL/TLS Certificate
• RootCA or Chain Certificate

In Nginx web server, you need to merge both of these certificates in a single file. Therefore, we are generating a certificate bundle file as follows.

# cat nginx-01.crt CA.crt >> /etc/pki/nginx/bundle.crt

Edit Nginx configuration file to enable HTTPS and install the CA signed SSL/TLS certificate.

# vi /etc/nginx/nginx.conf

You need to add a server block to enable HTTPS in Nginx. Luckily, Nginx configuration files already contain a server block specific to SSL/TLS configuration.

Locate and uncomment following server block. You have to update the location of SSL/TLS certificate and private key therein.

# Settings for a TLS enabled server.

    server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  _;
        root         /usr/share/nginx/html;

        ssl_certificate "/etc/pki/nginx/bundle.crt";
        ssl_certificate_key "/etc/pki/nginx/private/nginx-01.key";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_ciphers PROFILE=SYSTEM;
        ssl_prefer_server_ciphers on;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

}

Restart the Nginx service to apply changes.

# systemctl restart nginx.service

Open URL https://nginx-01.centlinux.com in a web browser. This time the page will be served over HTTPS without throwing any warning or error.

 

Conclusion:

In above article, you have generated and installed a SSL/TLS certificate in Nginx web server. You have installed both CA signed and self-signed certificates.