Install SSL/TLS Certificates in Nginx Web Server - CentLinux

Latest

Tuesday, 21 July 2020

Install SSL/TLS Certificates in Nginx Web Server

install-ssl-tls-certificate-in-nginx-web-werver

In this article, you will learn how to generate and install SSL/TLS certificates in Nginx web server.

This article has two sections, one is about configuration of self-signed SSL/TLS certificates and the other is about installation of CA signed SSL/TLS certificates on Nginx web server.

We have been writing many articles on Nginx web server since a long time. But we usually configure the Nginx web sites in plain text i.e. HTTP. It is because, we do not want to divert the focus of the readers from the main topic of that article.

Besides that, we always recommend system administrators to configure their web sites in HTTPS, especially those with an authentication or a login form.

For this reason, we are now writing a separate article on installation of SSL/TLS certificates in Nginx web server. You may also find a similar article at our Blog on how to install SSL/TLS certificates on Apache web server.

 

Table of Contents:

     

    What is a SSL/TLS Certificate? :

    SSL Stands for Secure Socket Layer. SSL is a global standard security technology that enables encrypted communication between a web browser and a web server.

    TLS stands for Transport Layer Security. TLS is the successor of SSL protocol and it is more secure and updated version of SSL protocol.

    Millions of web sites and web applications uses SSL/TLS certificates in order to keep user data secure, verify ownership of the website, prevent attackers from creating a fake version of the site, and gain user trust.

    We recommend a very good book for the readers of this article, Bulletproof SSL and TLS by Ivan Ristic for understanding and deploying SSL/TLS and PKI to secure servers and web applications.

     

    Environment Specification:

    We are using a minimal CentOS 8 KVM guest with following specification.

    • CPU - 3.4 Ghz (2 cores)
    • Memory - 2 GB
    • Storage - 20 GB
    • Operating System - CentOS 8.2
    • Hostname – nginx-01.centlinux.com
    • IP Address - 192.168.116.206 /24

     

    Installing Nginx Web Server on CentOS 8:

    First of all, we need to install Nginx web server on our CentOS 8 operating system. We are required a working instance of Nginx web server, so we can convert the existing websites from HTTP to HTTPS by means of a SSL/TLS certificate.

    Connect with nginx-01.centlinux.com as root user by using a SSH client.

    Verify the operating system and kernel version.

    [root@nginx-01 ~]# uname -a Linux nginx-01.centlinux.com 4.18.0-193.6.3.el8_2.x86_64 #1 SMP Wed Jun 10 11:09:32 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux [root@nginx-01 ~]# cat /etc/redhat-release CentOS Linux release 8.2.2004 (Core)

    Here, we are using a CentOS 8.2 operating system. But the steps we will performed are almost same for other platforms.

    In CentOS 8, Nginx is provided in the form of modules in the default yum repositories. List down the available versions of Nginx modules.

    [root@nginx-01 ~]# dnf module list nginx Last metadata expiration check: 0:06:07 ago on Sun 19 Jul 2020 08:50:14 PM PKT. CentOS-8 - AppStream Name Stream Profiles Summary nginx 1.14 [d] common [d] nginx webserver nginx 1.16 common [d] nginx webserver Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled

    Install the default version of Nginx by using dnf command.

    [root@nginx-01 ~]# dnf module install nginx Last metadata expiration check: 0:07:52 ago on Sun 19 Jul 2020 08:50:14 PM PKT. Dependencies resolved. ================================================================================ Package Arch Version Repo Size ================================================================================ Installing group/module packages: nginx x86_64 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream 570 k nginx-all-modules noarch 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream 23 k nginx-filesystem noarch 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream 24 k nginx-mod-http-image-filter x86_64 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream 35 k nginx-mod-http-perl x86_64 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream 45 k nginx-mod-http-xslt-filter x86_64 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream 33 k nginx-mod-mail x86_64 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream 64 k nginx-mod-stream x86_64 1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream 85 k Installing dependencies: dejavu-fonts-common noarch 2.35-6.el8 BaseOS 74 k dejavu-sans-fonts noarch 2.35-6.el8 BaseOS 1.5 M fontconfig x86_64 2.13.1-3.el8 BaseOS 275 k fontpackages-filesystem noarch 1.44-22.el8 BaseOS 16 k gd x86_64 2.2.5-6.el8 AppStream 144 k jbigkit-libs x86_64 2.1-14.el8 AppStream 55 k libX11 x86_64 1.6.8-3.el8 AppStream 611 k libX11-common noarch 1.6.8-3.el8 AppStream 158 k libXau x86_64 1.0.8-13.el8 AppStream 36 k libXpm x86_64 3.5.12-8.el8 AppStream 58 k libjpeg-turbo x86_64 1.5.3-10.el8 AppStream 156 k libtiff x86_64 4.0.9-17.el8 AppStream 188 k libwebp x86_64 1.0.0-1.el8 AppStream 273 k libxcb x86_64 1.13.1-1.el8 AppStream 229 k perl-Carp noarch 1.42-396.el8 BaseOS 30 k perl-Errno x86_64 1.28-416.el8 BaseOS 76 k perl-Exporter noarch 5.72-396.el8 BaseOS 34 k perl-File-Path noarch 2.15-2.el8 BaseOS 38 k perl-IO x86_64 1.38-416.el8 BaseOS 141 k perl-PathTools x86_64 3.74-1.el8 BaseOS 90 k perl-Scalar-List-Utils x86_64 3:1.49-2.el8 BaseOS 68 k perl-Socket x86_64 4:2.027-3.el8 BaseOS 59 k perl-Text-Tabs+Wrap noarch 2013.0523-395.el8 BaseOS 24 k perl-Unicode-Normalize x86_64 1.25-396.el8 BaseOS 82 k perl-constant noarch 1.33-396.el8 BaseOS 25 k perl-interpreter x86_64 4:5.26.3-416.el8 BaseOS 6.3 M perl-libs x86_64 4:5.26.3-416.el8 BaseOS 1.6 M perl-macros x86_64 4:5.26.3-416.el8 BaseOS 72 k perl-parent noarch 1:0.237-1.el8 BaseOS 20 k perl-threads x86_64 1:2.21-2.el8 BaseOS 61 k perl-threads-shared x86_64 1.58-2.el8 BaseOS 48 k Installing module profiles: nginx/common Enabling module streams: nginx 1.14 Transaction Summary ================================================================================ Install 39 Packages Total download size: 13 M Installed size: 36 M Downloading Packages: (1/39): jbigkit-libs-2.1-14.el8.x86_64.rpm 178 kB/s | 55 kB 00:00 (2/39): gd-2.2.5-6.el8.x86_64.rpm 200 kB/s | 144 kB 00:00 (3/39): libX11-common-1.6.8-3.el8.noarch.rpm 142 kB/s | 158 kB 00:01 (4/39): libXau-1.0.8-13.el8.x86_64.rpm 50 kB/s | 36 kB 00:00 (5/39): libXpm-3.5.12-8.el8.x86_64.rpm 280 kB/s | 58 kB 00:00 (6/39): libjpeg-turbo-1.5.3-10.el8.x86_64.rpm 354 kB/s | 156 kB 00:00 (7/39): libtiff-4.0.9-17.el8.x86_64.rpm 375 kB/s | 188 kB 00:00 (8/39): libX11-1.6.8-3.el8.x86_64.rpm 232 kB/s | 611 kB 00:02 (9/39): libxcb-1.13.1-1.el8.x86_64.rpm 343 kB/s | 229 kB 00:00 (10/39): libwebp-1.0.0-1.el8.x86_64.rpm 289 kB/s | 273 kB 00:00 (11/39): nginx-all-modules-1.14.1-9.module_el8. 123 kB/s | 23 kB 00:00 (12/39): nginx-filesystem-1.14.1-9.module_el8.0 101 kB/s | 24 kB 00:00 (13/39): nginx-mod-http-image-filter-1.14.1-9.m 28 kB/s | 35 kB 00:01 (14/39): nginx-mod-http-perl-1.14.1-9.module_el 39 kB/s | 45 kB 00:01 (15/39): nginx-mod-http-xslt-filter-1.14.1-9.mo 167 kB/s | 33 kB 00:00 (16/39): nginx-mod-mail-1.14.1-9.module_el8.0.0 220 kB/s | 64 kB 00:00 (17/39): nginx-1.14.1-9.module_el8.0.0+184+e34f 274 kB/s | 570 kB 00:02 (18/39): nginx-mod-stream-1.14.1-9.module_el8.0 260 kB/s | 85 kB 00:00 (19/39): dejavu-fonts-common-2.35-6.el8.noarch. 2.5 kB/s | 74 kB 00:29 (20/39): fontpackages-filesystem-1.44-22.el8.no 2.8 kB/s | 16 kB 00:05 (21/39): fontconfig-2.13.1-3.el8.x86_64.rpm 6.1 kB/s | 275 kB 00:45 (22/39): perl-Carp-1.42-396.el8.noarch.rpm 1.1 kB/s | 30 kB 00:26 (23/39): perl-Errno-1.28-416.el8.x86_64.rpm 2.4 kB/s | 76 kB 00:31 (24/39): perl-Exporter-5.72-396.el8.noarch.rpm 998 B/s | 34 kB 00:34 (25/39): perl-File-Path-2.15-2.el8.noarch.rpm 846 B/s | 38 kB 00:46 (26/39): perl-IO-1.38-416.el8.x86_64.rpm 2.4 kB/s | 141 kB 00:59 (27/39): perl-Scalar-List-Utils-1.49-2.el8.x86_ 3.2 kB/s | 68 kB 00:21 (28/39): dejavu-sans-fonts-2.35-6.el8.noarch.rp 8.6 kB/s | 1.5 MB 02:57 (29/39): perl-Socket-2.027-3.el8.x86_64.rpm 196 kB/s | 59 kB 00:00 (30/39): perl-PathTools-3.74-1.el8.x86_64.rpm 1.5 kB/s | 90 kB 01:01 (31/39): perl-Text-Tabs+Wrap-2013.0523-395.el8. 583 B/s | 24 kB 00:42 (32/39): perl-constant-1.33-396.el8.noarch.rpm 580 B/s | 25 kB 00:44 (33/39): perl-Unicode-Normalize-1.25-396.el8.x8 1.6 kB/s | 82 kB 00:51 (34/39): perl-libs-5.26.3-416.el8.x86_64.rpm 59 kB/s | 1.6 MB 00:26 (35/39): perl-parent-0.237-1.el8.noarch.rpm 44 kB/s | 20 kB 00:00 (36/39): perl-threads-2.21-2.el8.x86_64.rpm 45 kB/s | 61 kB 00:01 (37/39): perl-threads-shared-1.58-2.el8.x86_64. 34 kB/s | 48 kB 00:01 (38/39): perl-interpreter-5.26.3-416.el8.x86_64 139 kB/s | 6.3 MB 00:46 (39/39): perl-macros-5.26.3-416.el8.x86_64.rpm 1.3 kB/s | 72 kB 00:56 -------------------------------------------------------------------------------- Total 46 kB/s | 13 MB 04:53 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : perl-Exporter-5.72-396.el8.noarch 1/39 Installing : perl-libs-4:5.26.3-416.el8.x86_64 2/39 Installing : perl-Carp-1.42-396.el8.noarch 3/39 Installing : perl-Scalar-List-Utils-3:1.49-2.el8.x86_64 4/39 Installing : fontpackages-filesystem-1.44-22.el8.noarch 5/39 Installing : libjpeg-turbo-1.5.3-10.el8.x86_64 6/39 Installing : dejavu-fonts-common-2.35-6.el8.noarch 7/39 Installing : dejavu-sans-fonts-2.35-6.el8.noarch 8/39 Installing : fontconfig-2.13.1-3.el8.x86_64 9/39 Running scriptlet: fontconfig-2.13.1-3.el8.x86_64 9/39 Installing : perl-macros-4:5.26.3-416.el8.x86_64 10/39 Installing : perl-parent-1:0.237-1.el8.noarch 11/39 Installing : perl-Errno-1.28-416.el8.x86_64 12/39 Installing : perl-Socket-4:2.027-3.el8.x86_64 13/39 Installing : perl-Text-Tabs+Wrap-2013.0523-395.el8.noarch 14/39 Installing : perl-Unicode-Normalize-1.25-396.el8.x86_64 15/39 Installing : perl-File-Path-2.15-2.el8.noarch 16/39 Installing : perl-IO-1.38-416.el8.x86_64 17/39 Installing : perl-PathTools-3.74-1.el8.x86_64 18/39 Installing : perl-constant-1.33-396.el8.noarch 19/39 Installing : perl-threads-1:2.21-2.el8.x86_64 20/39 Installing : perl-threads-shared-1.58-2.el8.x86_64 21/39 Installing : perl-interpreter-4:5.26.3-416.el8.x86_64 22/39 Running scriptlet: nginx-filesystem-1:1.14.1-9.module_el8.0.0+184+e34 23/39 Installing : nginx-filesystem-1:1.14.1-9.module_el8.0.0+184+e34 23/39 Installing : libwebp-1.0.0-1.el8.x86_64 24/39 Installing : libXau-1.0.8-13.el8.x86_64 25/39 Installing : libxcb-1.13.1-1.el8.x86_64 26/39 Installing : libX11-common-1.6.8-3.el8.noarch 27/39 Installing : libX11-1.6.8-3.el8.x86_64 28/39 Installing : libXpm-3.5.12-8.el8.x86_64 29/39 Installing : jbigkit-libs-2.1-14.el8.x86_64 30/39 Running scriptlet: jbigkit-libs-2.1-14.el8.x86_64 30/39 Installing : libtiff-4.0.9-17.el8.x86_64 31/39 Installing : gd-2.2.5-6.el8.x86_64 32/39 Running scriptlet: gd-2.2.5-6.el8.x86_64 32/39 Installing : nginx-mod-http-perl-1:1.14.1-9.module_el8.0.0+184+ 33/39 Running scriptlet: nginx-mod-http-perl-1:1.14.1-9.module_el8.0.0+184+ 33/39 Installing : nginx-mod-http-xslt-filter-1:1.14.1-9.module_el8.0 34/39 Running scriptlet: nginx-mod-http-xslt-filter-1:1.14.1-9.module_el8.0 34/39 Installing : nginx-mod-mail-1:1.14.1-9.module_el8.0.0+184+e34fe 35/39 Running scriptlet: nginx-mod-mail-1:1.14.1-9.module_el8.0.0+184+e34fe 35/39 Installing : nginx-mod-stream-1:1.14.1-9.module_el8.0.0+184+e34 36/39 Running scriptlet: nginx-mod-stream-1:1.14.1-9.module_el8.0.0+184+e34 36/39 Installing : nginx-1:1.14.1-9.module_el8.0.0+184+e34fea82.x86_6 37/39 Running scriptlet: nginx-1:1.14.1-9.module_el8.0.0+184+e34fea82.x86_6 37/39 Installing : nginx-mod-http-image-filter-1:1.14.1-9.module_el8. 38/39 Running scriptlet: nginx-mod-http-image-filter-1:1.14.1-9.module_el8. 38/39 Installing : nginx-all-modules-1:1.14.1-9.module_el8.0.0+184+e3 39/39 Running scriptlet: nginx-all-modules-1:1.14.1-9.module_el8.0.0+184+e3 39/39 Running scriptlet: fontconfig-2.13.1-3.el8.x86_64 39/39 Verifying : gd-2.2.5-6.el8.x86_64 1/39 Verifying : jbigkit-libs-2.1-14.el8.x86_64 2/39 Verifying : libX11-1.6.8-3.el8.x86_64 3/39 Verifying : libX11-common-1.6.8-3.el8.noarch 4/39 Verifying : libXau-1.0.8-13.el8.x86_64 5/39 Verifying : libXpm-3.5.12-8.el8.x86_64 6/39 Verifying : libjpeg-turbo-1.5.3-10.el8.x86_64 7/39 Verifying : libtiff-4.0.9-17.el8.x86_64 8/39 Verifying : libwebp-1.0.0-1.el8.x86_64 9/39 Verifying : libxcb-1.13.1-1.el8.x86_64 10/39 Verifying : nginx-1:1.14.1-9.module_el8.0.0+184+e34fea82.x86_6 11/39 Verifying : nginx-all-modules-1:1.14.1-9.module_el8.0.0+184+e3 12/39 Verifying : nginx-filesystem-1:1.14.1-9.module_el8.0.0+184+e34 13/39 Verifying : nginx-mod-http-image-filter-1:1.14.1-9.module_el8. 14/39 Verifying : nginx-mod-http-perl-1:1.14.1-9.module_el8.0.0+184+ 15/39 Verifying : nginx-mod-http-xslt-filter-1:1.14.1-9.module_el8.0 16/39 Verifying : nginx-mod-mail-1:1.14.1-9.module_el8.0.0+184+e34fe 17/39 Verifying : nginx-mod-stream-1:1.14.1-9.module_el8.0.0+184+e34 18/39 Verifying : dejavu-fonts-common-2.35-6.el8.noarch 19/39 Verifying : dejavu-sans-fonts-2.35-6.el8.noarch 20/39 Verifying : fontconfig-2.13.1-3.el8.x86_64 21/39 Verifying : fontpackages-filesystem-1.44-22.el8.noarch 22/39 Verifying : perl-Carp-1.42-396.el8.noarch 23/39 Verifying : perl-Errno-1.28-416.el8.x86_64 24/39 Verifying : perl-Exporter-5.72-396.el8.noarch 25/39 Verifying : perl-File-Path-2.15-2.el8.noarch 26/39 Verifying : perl-IO-1.38-416.el8.x86_64 27/39 Verifying : perl-PathTools-3.74-1.el8.x86_64 28/39 Verifying : perl-Scalar-List-Utils-3:1.49-2.el8.x86_64 29/39 Verifying : perl-Socket-4:2.027-3.el8.x86_64 30/39 Verifying : perl-Text-Tabs+Wrap-2013.0523-395.el8.noarch 31/39 Verifying : perl-Unicode-Normalize-1.25-396.el8.x86_64 32/39 Verifying : perl-constant-1.33-396.el8.noarch 33/39 Verifying : perl-interpreter-4:5.26.3-416.el8.x86_64 34/39 Verifying : perl-libs-4:5.26.3-416.el8.x86_64 35/39 Verifying : perl-macros-4:5.26.3-416.el8.x86_64 36/39 Verifying : perl-parent-1:0.237-1.el8.noarch 37/39 Verifying : perl-threads-1:2.21-2.el8.x86_64 38/39 Verifying : perl-threads-shared-1.58-2.el8.x86_64 39/39 Installed: dejavu-fonts-common-2.35-6.el8.noarch dejavu-sans-fonts-2.35-6.el8.noarch fontconfig-2.13.1-3.el8.x86_64 fontpackages-filesystem-1.44-22.el8.noarch gd-2.2.5-6.el8.x86_64 jbigkit-libs-2.1-14.el8.x86_64 libX11-1.6.8-3.el8.x86_64 libX11-common-1.6.8-3.el8.noarch libXau-1.0.8-13.el8.x86_64 libXpm-3.5.12-8.el8.x86_64 libjpeg-turbo-1.5.3-10.el8.x86_64 libtiff-4.0.9-17.el8.x86_64 libwebp-1.0.0-1.el8.x86_64 libxcb-1.13.1-1.el8.x86_64 nginx-1:1.14.1-9.module_el8.0.0+184+e34fea82.x86_64 nginx-all-modules-1:1.14.1-9.module_el8.0.0+184+e34fea82.noarch nginx-filesystem-1:1.14.1-9.module_el8.0.0+184+e34fea82.noarch nginx-mod-http-image-filter-1:1.14.1-9.module_el8.0.0+184+e34fea82.x86_64 nginx-mod-http-perl-1:1.14.1-9.module_el8.0.0+184+e34fea82.x86_64 nginx-mod-http-xslt-filter-1:1.14.1-9.module_el8.0.0+184+e34fea82.x86_64 nginx-mod-mail-1:1.14.1-9.module_el8.0.0+184+e34fea82.x86_64 nginx-mod-stream-1:1.14.1-9.module_el8.0.0+184+e34fea82.x86_64 perl-Carp-1.42-396.el8.noarch perl-Errno-1.28-416.el8.x86_64 perl-Exporter-5.72-396.el8.noarch perl-File-Path-2.15-2.el8.noarch perl-IO-1.38-416.el8.x86_64 perl-PathTools-3.74-1.el8.x86_64 perl-Scalar-List-Utils-3:1.49-2.el8.x86_64 perl-Socket-4:2.027-3.el8.x86_64 perl-Text-Tabs+Wrap-2013.0523-395.el8.noarch perl-Unicode-Normalize-1.25-396.el8.x86_64 perl-constant-1.33-396.el8.noarch perl-interpreter-4:5.26.3-416.el8.x86_64 perl-libs-4:5.26.3-416.el8.x86_64 perl-macros-4:5.26.3-416.el8.x86_64 perl-parent-1:0.237-1.el8.noarch perl-threads-1:2.21-2.el8.x86_64 perl-threads-shared-1.58-2.el8.x86_64 Complete!

    Enable and start Nginx service.

    [root@nginx-01 ~]# systemctl enable --now nginx.service Created symlink /etc/systemd/system/multi-user.target.wants/nginx.service รข /usr/lib/systemd/system/nginx.service.

    Allow HTTP and HTTPS services in Linux firewall.

    [root@nginx-01 ~]# firewall-cmd --permanent --add-service={http,https} success [root@nginx-01 ~]# firewall-cmd --reload success

    Open URL http://nginx-01.centlinux.com in a web browser.

    01-install-ssl-tls-certificate-nginx-default-page

    Our Nginx web server has been installed and configured successfully.

     

    Installing a Self-Signed SSL/TLS Certificate in Nginx:

    You can use self-signed SSL/TLS certificates for you Nginx websites, if you are hosting a website in a network, where the users are well aware about the authenticity of your website. Or you do not have configured a certificate authority for your network.

    A self-signed SSL/TLS certificate is one which is not signed by a Certificate Authority (CA). These type of SSL/TLS certificates are easy to generate and do not cost money.

    Create nginx directory in /etc/pki to store SSL/TLS certificate and private key.

    [root@nginx-01 ~]# mkdir -p /etc/pki/nginx/private

    Generate a private key and SSL/TLS certificate by using openssl command. Openssl package is by default installed on a minimal CentOS 8 operating system. But in case you can not found it on your server then you need to install openssl package by using dnf command.

    [root@nginx-01 ~]# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/nginx/private/nginx-01.key -out /etc/pki/nginx/nginx-01.crt Generating a RSA private key ................................+++++ .+++++ writing new private key to '/etc/pki/nginx/private/nginx-01.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:PK State or Province Name (full name) []:Sindh Locality Name (eg, city) [Default City]:Karachi Organization Name (eg, company) [Default Company Ltd]:CentLinux Organizational Unit Name (eg, section) []:IT Lab Common Name (eg, your name or your server's hostname) []:nginx-01.centlinux.com Email Address []:ahmer@nginx-01.centlinux.com

    Edit Nginx configuration files and add a server block to enable HTTPS for your website.

    [root@nginx-01 ~]# vi /etc/nginx/nginx.conf

    Nginx configuration file already contain a server block for HTTPS, but these directives have been commented by default.

    Uncomment following lines therein and update the paths of ssl_certificate and ssl_certificate_key.

    # Settings for a TLS enabled server. server { listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; server_name _; root /usr/share/nginx/html; ssl_certificate "/etc/pki/nginx/nginx-01.crt"; ssl_certificate_key "/etc/pki/nginx/private/nginx-01.key"; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_ciphers PROFILE=SYSTEM; ssl_prefer_server_ciphers on; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; location / { } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } } }

    Restart Nginx service to apply the changes.

    [root@nginx-01 ~]# systemctl restart nginx.service

    Open URL https://nginx-01.centlinux.com in a web browser. The web browser will will give you a warning about security certificate of the website. Ignore it and continue to your website.

     

    Installing a CA Signed SSL/TLS Certificate in Nginx:

    Just like we used a self-signed SSL/TLS certificate above, anyone can generate and use a SSL/TLS certificate for their websites. Thus raises a big question mark on the authenticity of that website.

    Therefore, to ensure the authenticity of a SSL/TLS certificate and a website, we are required to digitally signed our SSL/TLS certificate by a Global Certificate Authority.

    Authenticity of that Global Certificate Authority (CA) is also ensured by a SSL/TLS certificate (known as rootCA certificate) which are by default installed in all web browsers.

    To get our SSL/TLS certificate signed by a certificate authority (CA). We need to generate and send a Certificate Signing Request (CSR) to that CA.

    But before generating a CSR, we required a private key for encryption. Therefore, we are also generating a private key by using the openssl command.

    [root@nginx-01 ~]# openssl genrsa -out /etc/pki/nginx/private/nginx-01.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes) .......................................................................................+++++ ..................+++++ e is 65537 (0x010001) Now, generate a CSR by using the above private key. [root@nginx-01 ~]# openssl req -new -key /etc/pki/nginx/private/nginx-01.key -out /etc/pki/nginx/nginx-01.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:PK State or Province Name (full name) []:Sindh Locality Name (eg, city) [Default City]:Karachi Organization Name (eg, company) [Default Company Ltd]:CentLinux Organizational Unit Name (eg, section) []:IT Lab Common Name (eg, your name or your server's hostname) []:nginx-01.centlinux.com Email Address []:ahmer@nginx-01.centlinux.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

    Now submit this CSR to the CA by using email, or any other communication medium.

    CA will then digitally signed the CSR and will send back two files.

    • A digitally signed SSL/TLS Certificate
    • RootCA or Chain SSL/TLS Certificate

    In Nginx web server, we need to merge both of these certificates in a single file. Therefore, we are generating a certificate bundle file as follows.

    [root@nginx-01 ~]# cat nginx-01.crt CA.crt >> /etc/pki/nginx/bundle.crt

    Edit Nginx configuration file to enable HTTPS and install the CA signed SSL/TLS certificate.

    [root@nginx-01 ~]# vi /etc/nginx/nginx.conf

    We need to add a server block to enable HTTPS in Nginx. Luckily, Nginx configuration files already contain a server block specific to SSL/TLS configuration.

    Locate and uncomment following server block. We have also updated the location of SSL/TLS certificate and private key therein.

    # Settings for a TLS enabled server. server { listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; server_name _; root /usr/share/nginx/html; ssl_certificate "/etc/pki/nginx/bundle.crt"; ssl_certificate_key "/etc/pki/nginx/private/nginx-01.key"; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_ciphers PROFILE=SYSTEM; ssl_prefer_server_ciphers on; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; location / { } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } } }

    Restart the Nginx service to apply changes.

    [root@nginx-01 ~]# systemctl restart nginx.service

    Open URL https://nginx-01.centlinux.com in a web browser. This time the page will be served over HTTPS without throwing any warning or error.

     

    Conclusion:

    In above article, we have generated and installed a SSL/TLS certificate in Nginx web server. We have installed both CA signed and self-signed certificates.

    No comments:

    Post a comment