In this article, you will learn how to generate and install SSL/TLS certificates in Nginx web server.
This article has two sections, one is about configuration of self-signed SSL/TLS certificates and the other is about installation of CA signed SSL/TLS certificates on Nginx web server.
We have been writing many articles on Nginx web server since a long time. But we usually configure the Nginx web sites in plain text i.e. HTTP. It is because, we do not want to divert the focus of the readers from the main topic of that article.
Besides that, we always recommend system administrators to configure their web sites in HTTPS, especially those with an authentication or a login form.
For this reason, we are now writing a separate article on installation of SSL/TLS certificates in Nginx web server. You may also find a similar article at our Blog on how to install SSL/TLS certificates on Apache web server.
Table of Contents:
- What is a SSL/TLS Certificate?
- Environment Specification
- Installing Nginx Web Server on CentOS 8
- Installing a Self-Signed SSL/TLS Certificate in Nginx
- Installing a CA Signed SSL/TLS Certificate in Nginx
- Conclusion
What is a SSL/TLS Certificate? :
SSL Stands for Secure Socket Layer. SSL is a global standard security technology that enables encrypted communication between a web browser and a web server.
TLS stands for Transport Layer Security. TLS is the successor of SSL protocol and it is more secure and updated version of SSL protocol.
Millions of web sites and web applications uses SSL/TLS certificates in order to keep user data secure, verify ownership of the website, prevent attackers from creating a fake version of the site, and gain user trust.
We recommend a very good book for the readers of this article, Bulletproof SSL and TLS by Ivan Ristic for understanding and deploying SSL/TLS and PKI to secure servers and web applications.
Environment Specification:
We are using a minimal CentOS 8 KVM guest with following specification.
- CPU - 3.4 Ghz (2 cores)
- Memory - 2 GB
- Storage - 20 GB
- Operating System - CentOS 8.2
- Hostname – nginx-01.centlinux.com
- IP Address - 192.168.116.206 /24
Installing Nginx Web Server on CentOS 8:
First of all, we need to install Nginx web server on our CentOS 8 operating system. We are required a working instance of Nginx web server, so we can convert the existing websites from HTTP to HTTPS by means of a SSL/TLS certificate.
Connect with nginx-01.centlinux.com as root user by using a SSH client.
Verify the operating system and kernel version.
[root@nginx-01 ~]# uname -a
Linux nginx-01.centlinux.com 4.18.0-193.6.3.el8_2.x86_64 #1 SMP Wed Jun 10 11:09:32 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
[root@nginx-01 ~]# cat /etc/redhat-release
CentOS Linux release 8.2.2004 (Core)
Here, we are using a CentOS 8.2 operating system. But the steps we will performed are almost same for other platforms.
In CentOS 8, Nginx is provided in the form of modules in the default yum repositories. List down the available versions of Nginx modules.
[root@nginx-01 ~]# dnf module list nginx
Last metadata expiration check: 0:06:07 ago on Sun 19 Jul 2020 08:50:14 PM PKT.
CentOS-8 - AppStream
Name Stream Profiles Summary
nginx 1.14 [d] common [d] nginx webserver
nginx 1.16 common [d] nginx webserver
Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled
Install the default version of Nginx by using dnf command.
[root@nginx-01 ~]# dnf module install nginx
Last metadata expiration check: 0:07:52 ago on Sun 19 Jul 2020 08:50:14 PM PKT.
Dependencies resolved.
================================================================================
Package Arch Version Repo Size
================================================================================
Installing group/module packages:
nginx x86_64 1:1.14.1-9.module_el8.0.0+184+e34fea82
AppStream 570 k
nginx-all-modules noarch 1:1.14.1-9.module_el8.0.0+184+e34fea82
AppStream 23 k
nginx-filesystem noarch 1:1.14.1-9.module_el8.0.0+184+e34fea82
AppStream 24 k
nginx-mod-http-image-filter x86_64 1:1.14.1-9.module_el8.0.0+184+e34fea82
AppStream 35 k
nginx-mod-http-perl x86_64 1:1.14.1-9.module_el8.0.0+184+e34fea82
AppStream 45 k
nginx-mod-http-xslt-filter x86_64 1:1.14.1-9.module_el8.0.0+184+e34fea82
AppStream 33 k
nginx-mod-mail x86_64 1:1.14.1-9.module_el8.0.0+184+e34fea82
AppStream 64 k
nginx-mod-stream x86_64 1:1.14.1-9.module_el8.0.0+184+e34fea82
AppStream 85 k
Installing dependencies:
dejavu-fonts-common noarch 2.35-6.el8 BaseOS 74 k
dejavu-sans-fonts noarch 2.35-6.el8 BaseOS 1.5 M
fontconfig x86_64 2.13.1-3.el8 BaseOS 275 k
fontpackages-filesystem noarch 1.44-22.el8 BaseOS 16 k
gd x86_64 2.2.5-6.el8 AppStream 144 k
jbigkit-libs x86_64 2.1-14.el8 AppStream 55 k
libX11 x86_64 1.6.8-3.el8 AppStream 611 k
libX11-common noarch 1.6.8-3.el8 AppStream 158 k
libXau x86_64 1.0.8-13.el8 AppStream 36 k
libXpm x86_64 3.5.12-8.el8 AppStream 58 k
libjpeg-turbo x86_64 1.5.3-10.el8 AppStream 156 k
libtiff x86_64 4.0.9-17.el8 AppStream 188 k
libwebp x86_64 1.0.0-1.el8 AppStream 273 k
libxcb x86_64 1.13.1-1.el8 AppStream 229 k
perl-Carp noarch 1.42-396.el8 BaseOS 30 k
perl-Errno x86_64 1.28-416.el8 BaseOS 76 k
perl-Exporter noarch 5.72-396.el8 BaseOS 34 k
perl-File-Path noarch 2.15-2.el8 BaseOS 38 k
perl-IO x86_64 1.38-416.el8 BaseOS 141 k
perl-PathTools x86_64 3.74-1.el8 BaseOS 90 k
perl-Scalar-List-Utils x86_64 3:1.49-2.el8 BaseOS 68 k
perl-Socket x86_64 4:2.027-3.el8 BaseOS 59 k
perl-Text-Tabs+Wrap noarch 2013.0523-395.el8 BaseOS 24 k
perl-Unicode-Normalize x86_64 1.25-396.el8 BaseOS 82 k
perl-constant noarch 1.33-396.el8 BaseOS 25 k
perl-interpreter x86_64 4:5.26.3-416.el8 BaseOS 6.3 M
perl-libs x86_64 4:5.26.3-416.el8 BaseOS 1.6 M
perl-macros x86_64 4:5.26.3-416.el8 BaseOS 72 k
perl-parent noarch 1:0.237-1.el8 BaseOS 20 k
perl-threads x86_64 1:2.21-2.el8 BaseOS 61 k
perl-threads-shared x86_64 1.58-2.el8 BaseOS 48 k
Installing module profiles:
nginx/common
Enabling module streams:
nginx 1.14
Transaction Summary
================================================================================
Install 39 Packages
Total download size: 13 M
Installed size: 36 M
Downloading Packages:
(1/39): jbigkit-libs-2.1-14.el8.x86_64.rpm 178 kB/s | 55 kB 00:00
(2/39): gd-2.2.5-6.el8.x86_64.rpm 200 kB/s | 144 kB 00:00
(3/39): libX11-common-1.6.8-3.el8.noarch.rpm 142 kB/s | 158 kB 00:01
(4/39): libXau-1.0.8-13.el8.x86_64.rpm 50 kB/s | 36 kB 00:00
(5/39): libXpm-3.5.12-8.el8.x86_64.rpm 280 kB/s | 58 kB 00:00
(6/39): libjpeg-turbo-1.5.3-10.el8.x86_64.rpm 354 kB/s | 156 kB 00:00
(7/39): libtiff-4.0.9-17.el8.x86_64.rpm 375 kB/s | 188 kB 00:00
(8/39): libX11-1.6.8-3.el8.x86_64.rpm 232 kB/s | 611 kB 00:02
(9/39): libxcb-1.13.1-1.el8.x86_64.rpm 343 kB/s | 229 kB 00:00
(10/39): libwebp-1.0.0-1.el8.x86_64.rpm 289 kB/s | 273 kB 00:00
(11/39): nginx-all-modules-1.14.1-9.module_el8. 123 kB/s | 23 kB 00:00
(12/39): nginx-filesystem-1.14.1-9.module_el8.0 101 kB/s | 24 kB 00:00
(13/39): nginx-mod-http-image-filter-1.14.1-9.m 28 kB/s | 35 kB 00:01
(14/39): nginx-mod-http-perl-1.14.1-9.module_el 39 kB/s | 45 kB 00:01
(15/39): nginx-mod-http-xslt-filter-1.14.1-9.mo 167 kB/s | 33 kB 00:00
(16/39): nginx-mod-mail-1.14.1-9.module_el8.0.0 220 kB/s | 64 kB 00:00
(17/39): nginx-1.14.1-9.module_el8.0.0+184+e34f 274 kB/s | 570 kB 00:02
(18/39): nginx-mod-stream-1.14.1-9.module_el8.0 260 kB/s | 85 kB 00:00
(19/39): dejavu-fonts-common-2.35-6.el8.noarch. 2.5 kB/s | 74 kB 00:29
(20/39): fontpackages-filesystem-1.44-22.el8.no 2.8 kB/s | 16 kB 00:05
(21/39): fontconfig-2.13.1-3.el8.x86_64.rpm 6.1 kB/s | 275 kB 00:45
(22/39): perl-Carp-1.42-396.el8.noarch.rpm 1.1 kB/s | 30 kB 00:26
(23/39): perl-Errno-1.28-416.el8.x86_64.rpm 2.4 kB/s | 76 kB 00:31
(24/39): perl-Exporter-5.72-396.el8.noarch.rpm 998 B/s | 34 kB 00:34
(25/39): perl-File-Path-2.15-2.el8.noarch.rpm 846 B/s | 38 kB 00:46
(26/39): perl-IO-1.38-416.el8.x86_64.rpm 2.4 kB/s | 141 kB 00:59
(27/39): perl-Scalar-List-Utils-1.49-2.el8.x86_ 3.2 kB/s | 68 kB 00:21
(28/39): dejavu-sans-fonts-2.35-6.el8.noarch.rp 8.6 kB/s | 1.5 MB 02:57
(29/39): perl-Socket-2.027-3.el8.x86_64.rpm 196 kB/s | 59 kB 00:00
(30/39): perl-PathTools-3.74-1.el8.x86_64.rpm 1.5 kB/s | 90 kB 01:01
(31/39): perl-Text-Tabs+Wrap-2013.0523-395.el8. 583 B/s | 24 kB 00:42
(32/39): perl-constant-1.33-396.el8.noarch.rpm 580 B/s | 25 kB 00:44
(33/39): perl-Unicode-Normalize-1.25-396.el8.x8 1.6 kB/s | 82 kB 00:51
(34/39): perl-libs-5.26.3-416.el8.x86_64.rpm 59 kB/s | 1.6 MB 00:26
(35/39): perl-parent-0.237-1.el8.noarch.rpm 44 kB/s | 20 kB 00:00
(36/39): perl-threads-2.21-2.el8.x86_64.rpm 45 kB/s | 61 kB 00:01
(37/39): perl-threads-shared-1.58-2.el8.x86_64. 34 kB/s | 48 kB 00:01
(38/39): perl-interpreter-5.26.3-416.el8.x86_64 139 kB/s | 6.3 MB 00:46
(39/39): perl-macros-5.26.3-416.el8.x86_64.rpm 1.3 kB/s | 72 kB 00:56
--------------------------------------------------------------------------------
Total 46 kB/s | 13 MB 04:53
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : perl-Exporter-5.72-396.el8.noarch 1/39
Installing : perl-libs-4:5.26.3-416.el8.x86_64 2/39
Installing : perl-Carp-1.42-396.el8.noarch 3/39
Installing : perl-Scalar-List-Utils-3:1.49-2.el8.x86_64 4/39
Installing : fontpackages-filesystem-1.44-22.el8.noarch 5/39
Installing : libjpeg-turbo-1.5.3-10.el8.x86_64 6/39
Installing : dejavu-fonts-common-2.35-6.el8.noarch 7/39
Installing : dejavu-sans-fonts-2.35-6.el8.noarch 8/39
Installing : fontconfig-2.13.1-3.el8.x86_64 9/39
Running scriptlet: fontconfig-2.13.1-3.el8.x86_64 9/39
Installing : perl-macros-4:5.26.3-416.el8.x86_64 10/39
Installing : perl-parent-1:0.237-1.el8.noarch 11/39
Installing : perl-Errno-1.28-416.el8.x86_64 12/39
Installing : perl-Socket-4:2.027-3.el8.x86_64 13/39
Installing : perl-Text-Tabs+Wrap-2013.0523-395.el8.noarch 14/39
Installing : perl-Unicode-Normalize-1.25-396.el8.x86_64 15/39
Installing : perl-File-Path-2.15-2.el8.noarch 16/39
Installing : perl-IO-1.38-416.el8.x86_64 17/39
Installing : perl-PathTools-3.74-1.el8.x86_64 18/39
Installing : perl-constant-1.33-396.el8.noarch 19/39
Installing : perl-threads-1:2.21-2.el8.x86_64 20/39
Installing : perl-threads-shared-1.58-2.el8.x86_64 21/39
Installing : perl-interpreter-4:5.26.3-416.el8.x86_64 22/39
Running scriptlet: nginx-filesystem-1:1.14.1-9.module_el8.0.0+184+e34 23/39
Installing : nginx-filesystem-1:1.14.1-9.module_el8.0.0+184+e34 23/39
Installing : libwebp-1.0.0-1.el8.x86_64 24/39
Installing : libXau-1.0.8-13.el8.x86_64 25/39
Installing : libxcb-1.13.1-1.el8.x86_64 26/39
Installing : libX11-common-1.6.8-3.el8.noarch 27/39
Installing : libX11-1.6.8-3.el8.x86_64 28/39
Installing : libXpm-3.5.12-8.el8.x86_64 29/39
Installing : jbigkit-libs-2.1-14.el8.x86_64 30/39
Running scriptlet: jbigkit-libs-2.1-14.el8.x86_64 30/39
Installing : libtiff-4.0.9-17.el8.x86_64 31/39
Installing : gd-2.2.5-6.el8.x86_64 32/39
Running scriptlet: gd-2.2.5-6.el8.x86_64 32/39
Installing : nginx-mod-http-perl-1:1.14.1-9.module_el8.0.0+184+ 33/39
Running scriptlet: nginx-mod-http-perl-1:1.14.1-9.module_el8.0.0+184+ 33/39
Installing : nginx-mod-http-xslt-filter-1:1.14.1-9.module_el8.0 34/39
Running scriptlet: nginx-mod-http-xslt-filter-1:1.14.1-9.module_el8.0 34/39
Installing : nginx-mod-mail-1:1.14.1-9.module_el8.0.0+184+e34fe 35/39
Running scriptlet: nginx-mod-mail-1:1.14.1-9.module_el8.0.0+184+e34fe 35/39
Installing : nginx-mod-stream-1:1.14.1-9.module_el8.0.0+184+e34 36/39
Running scriptlet: nginx-mod-stream-1:1.14.1-9.module_el8.0.0+184+e34 36/39
Installing : nginx-1:1.14.1-9.module_el8.0.0+184+e34fea82.x86_6 37/39
Running scriptlet: nginx-1:1.14.1-9.module_el8.0.0+184+e34fea82.x86_6 37/39
Installing : nginx-mod-http-image-filter-1:1.14.1-9.module_el8. 38/39
Running scriptlet: nginx-mod-http-image-filter-1:1.14.1-9.module_el8. 38/39
Installing : nginx-all-modules-1:1.14.1-9.module_el8.0.0+184+e3 39/39
Running scriptlet: nginx-all-modules-1:1.14.1-9.module_el8.0.0+184+e3 39/39
Running scriptlet: fontconfig-2.13.1-3.el8.x86_64 39/39
Verifying : gd-2.2.5-6.el8.x86_64 1/39
Verifying : jbigkit-libs-2.1-14.el8.x86_64 2/39
Verifying : libX11-1.6.8-3.el8.x86_64 3/39
Verifying : libX11-common-1.6.8-3.el8.noarch 4/39
Verifying : libXau-1.0.8-13.el8.x86_64 5/39
Verifying : libXpm-3.5.12-8.el8.x86_64 6/39
Verifying : libjpeg-turbo-1.5.3-10.el8.x86_64 7/39
Verifying : libtiff-4.0.9-17.el8.x86_64 8/39
Verifying : libwebp-1.0.0-1.el8.x86_64 9/39
Verifying : libxcb-1.13.1-1.el8.x86_64 10/39
Verifying : nginx-1:1.14.1-9.module_el8.0.0+184+e34fea82.x86_6 11/39
Verifying : nginx-all-modules-1:1.14.1-9.module_el8.0.0+184+e3 12/39
Verifying : nginx-filesystem-1:1.14.1-9.module_el8.0.0+184+e34 13/39
Verifying : nginx-mod-http-image-filter-1:1.14.1-9.module_el8. 14/39
Verifying : nginx-mod-http-perl-1:1.14.1-9.module_el8.0.0+184+ 15/39
Verifying : nginx-mod-http-xslt-filter-1:1.14.1-9.module_el8.0 16/39
Verifying : nginx-mod-mail-1:1.14.1-9.module_el8.0.0+184+e34fe 17/39
Verifying : nginx-mod-stream-1:1.14.1-9.module_el8.0.0+184+e34 18/39
Verifying : dejavu-fonts-common-2.35-6.el8.noarch 19/39
Verifying : dejavu-sans-fonts-2.35-6.el8.noarch 20/39
Verifying : fontconfig-2.13.1-3.el8.x86_64 21/39
Verifying : fontpackages-filesystem-1.44-22.el8.noarch 22/39
Verifying : perl-Carp-1.42-396.el8.noarch 23/39
Verifying : perl-Errno-1.28-416.el8.x86_64 24/39
Verifying : perl-Exporter-5.72-396.el8.noarch 25/39
Verifying : perl-File-Path-2.15-2.el8.noarch 26/39
Verifying : perl-IO-1.38-416.el8.x86_64 27/39
Verifying : perl-PathTools-3.74-1.el8.x86_64 28/39
Verifying : perl-Scalar-List-Utils-3:1.49-2.el8.x86_64 29/39
Verifying : perl-Socket-4:2.027-3.el8.x86_64 30/39
Verifying : perl-Text-Tabs+Wrap-2013.0523-395.el8.noarch 31/39
Verifying : perl-Unicode-Normalize-1.25-396.el8.x86_64 32/39
Verifying : perl-constant-1.33-396.el8.noarch 33/39
Verifying : perl-interpreter-4:5.26.3-416.el8.x86_64 34/39
Verifying : perl-libs-4:5.26.3-416.el8.x86_64 35/39
Verifying : perl-macros-4:5.26.3-416.el8.x86_64 36/39
Verifying : perl-parent-1:0.237-1.el8.noarch 37/39
Verifying : perl-threads-1:2.21-2.el8.x86_64 38/39
Verifying : perl-threads-shared-1.58-2.el8.x86_64 39/39
Installed:
dejavu-fonts-common-2.35-6.el8.noarch
dejavu-sans-fonts-2.35-6.el8.noarch
fontconfig-2.13.1-3.el8.x86_64
fontpackages-filesystem-1.44-22.el8.noarch
gd-2.2.5-6.el8.x86_64
jbigkit-libs-2.1-14.el8.x86_64
libX11-1.6.8-3.el8.x86_64
libX11-common-1.6.8-3.el8.noarch
libXau-1.0.8-13.el8.x86_64
libXpm-3.5.12-8.el8.x86_64
libjpeg-turbo-1.5.3-10.el8.x86_64
libtiff-4.0.9-17.el8.x86_64
libwebp-1.0.0-1.el8.x86_64
libxcb-1.13.1-1.el8.x86_64
nginx-1:1.14.1-9.module_el8.0.0+184+e34fea82.x86_64
nginx-all-modules-1:1.14.1-9.module_el8.0.0+184+e34fea82.noarch
nginx-filesystem-1:1.14.1-9.module_el8.0.0+184+e34fea82.noarch
nginx-mod-http-image-filter-1:1.14.1-9.module_el8.0.0+184+e34fea82.x86_64
nginx-mod-http-perl-1:1.14.1-9.module_el8.0.0+184+e34fea82.x86_64
nginx-mod-http-xslt-filter-1:1.14.1-9.module_el8.0.0+184+e34fea82.x86_64
nginx-mod-mail-1:1.14.1-9.module_el8.0.0+184+e34fea82.x86_64
nginx-mod-stream-1:1.14.1-9.module_el8.0.0+184+e34fea82.x86_64
perl-Carp-1.42-396.el8.noarch
perl-Errno-1.28-416.el8.x86_64
perl-Exporter-5.72-396.el8.noarch
perl-File-Path-2.15-2.el8.noarch
perl-IO-1.38-416.el8.x86_64
perl-PathTools-3.74-1.el8.x86_64
perl-Scalar-List-Utils-3:1.49-2.el8.x86_64
perl-Socket-4:2.027-3.el8.x86_64
perl-Text-Tabs+Wrap-2013.0523-395.el8.noarch
perl-Unicode-Normalize-1.25-396.el8.x86_64
perl-constant-1.33-396.el8.noarch
perl-interpreter-4:5.26.3-416.el8.x86_64
perl-libs-4:5.26.3-416.el8.x86_64
perl-macros-4:5.26.3-416.el8.x86_64
perl-parent-1:0.237-1.el8.noarch
perl-threads-1:2.21-2.el8.x86_64
perl-threads-shared-1.58-2.el8.x86_64
Complete!
Enable and start Nginx service.
[root@nginx-01 ~]# systemctl enable --now nginx.service
Created symlink /etc/systemd/system/multi-user.target.wants/nginx.service â /usr/lib/systemd/system/nginx.service.
Allow HTTP and HTTPS services in Linux firewall.
[root@nginx-01 ~]# firewall-cmd --permanent --add-service={http,https}
success
[root@nginx-01 ~]# firewall-cmd --reload
success
Open URL http://nginx-01.centlinux.com in a web browser.
Our Nginx web server has been installed and configured successfully.
Installing a Self-Signed SSL/TLS Certificate in Nginx:
You can use self-signed SSL/TLS certificates for you Nginx websites, if you are hosting a website in a network, where the users are well aware about the authenticity of your website. Or you do not have configured a certificate authority for your network.
A self-signed SSL/TLS certificate is one which is not signed by a Certificate Authority (CA). These type of SSL/TLS certificates are easy to generate and do not cost money.
Create nginx directory in /etc/pki to store SSL/TLS certificate and private key.
[root@nginx-01 ~]# mkdir -p /etc/pki/nginx/private
Generate a private key and SSL/TLS certificate by using openssl command. Openssl package is by default installed on a minimal CentOS 8 operating system. But in case you can not found it on your server then you need to install openssl package by using dnf command.
[root@nginx-01 ~]# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/nginx/private/nginx-01.key -out /etc/pki/nginx/nginx-01.crt
Generating a RSA private key
................................+++++
.+++++
writing new private key to '/etc/pki/nginx/private/nginx-01.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:PK
State or Province Name (full name) []:Sindh
Locality Name (eg, city) [Default City]:Karachi
Organization Name (eg, company) [Default Company Ltd]:CentLinux
Organizational Unit Name (eg, section) []:IT Lab
Common Name (eg, your name or your server's hostname) []:nginx-01.centlinux.com
Email Address []:ahmer@nginx-01.centlinux.com
Edit Nginx configuration files and add a server block to enable HTTPS for your website.
[root@nginx-01 ~]# vi /etc/nginx/nginx.conf
Nginx configuration file already contain a server block for HTTPS, but these directives have been commented by default.
Uncomment following lines therein and update the paths of ssl_certificate and ssl_certificate_key.
# Settings for a TLS enabled server.
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name _;
root /usr/share/nginx/html;
ssl_certificate "/etc/pki/nginx/nginx-01.crt";
ssl_certificate_key "/etc/pki/nginx/private/nginx-01.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers PROFILE=SYSTEM;
ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
Restart Nginx service to apply the changes.
[root@nginx-01 ~]# systemctl restart nginx.service
Open URL https://nginx-01.centlinux.com in a web browser. The web browser will will give you a warning about security certificate of the website. Ignore it and continue to your website.
Installing a CA Signed SSL/TLS Certificate in Nginx:
Just like we used a self-signed SSL/TLS certificate above, anyone can generate and use a SSL/TLS certificate for their websites. Thus raises a big question mark on the authenticity of that website.
Therefore, to ensure the authenticity of a SSL/TLS certificate and a website, we are required to digitally signed our SSL/TLS certificate by a Global Certificate Authority.
Authenticity of that Global Certificate Authority (CA) is also ensured by a SSL/TLS certificate (known as rootCA certificate) which are by default installed in all web browsers.
To get our SSL/TLS certificate signed by a certificate authority (CA). We need to generate and send a Certificate Signing Request (CSR) to that CA.
But before generating a CSR, we required a private key for encryption. Therefore, we are also generating a private key by using the openssl command.
[root@nginx-01 ~]# openssl genrsa -out /etc/pki/nginx/private/nginx-01.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.......................................................................................+++++
..................+++++
e is 65537 (0x010001)
Now, generate a CSR by using the above private key.
[root@nginx-01 ~]# openssl req -new -key /etc/pki/nginx/private/nginx-01.key -out /etc/pki/nginx/nginx-01.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:PK
State or Province Name (full name) []:Sindh
Locality Name (eg, city) [Default City]:Karachi
Organization Name (eg, company) [Default Company Ltd]:CentLinux
Organizational Unit Name (eg, section) []:IT Lab
Common Name (eg, your name or your server's hostname) []:nginx-01.centlinux.com
Email Address []:ahmer@nginx-01.centlinux.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Now submit this CSR to the CA by using email, or any other communication medium.
CA will then digitally signed the CSR and will send back two files.
- A digitally signed SSL/TLS Certificate
- RootCA or Chain SSL/TLS Certificate
In Nginx web server, we need to merge both of these certificates in a single file. Therefore, we are generating a certificate bundle file as follows.
[root@nginx-01 ~]# cat nginx-01.crt CA.crt >> /etc/pki/nginx/bundle.crt
Edit Nginx configuration file to enable HTTPS and install the CA signed SSL/TLS certificate.
[root@nginx-01 ~]# vi /etc/nginx/nginx.conf
We need to add a server block to enable HTTPS in Nginx. Luckily, Nginx configuration files already contain a server block specific to SSL/TLS configuration.
Locate and uncomment following server block. We have also updated the location of SSL/TLS certificate and private key therein.
# Settings for a TLS enabled server.
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name _;
root /usr/share/nginx/html;
ssl_certificate "/etc/pki/nginx/bundle.crt";
ssl_certificate_key "/etc/pki/nginx/private/nginx-01.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers PROFILE=SYSTEM;
ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
Restart the Nginx service to apply changes.
[root@nginx-01 ~]# systemctl restart nginx.service
Open URL https://nginx-01.centlinux.com in a web browser. This time the page will be served over HTTPS without throwing any warning or error.
Conclusion:
In above article, we have generated and installed a SSL/TLS certificate in Nginx web server. We have installed both CA signed and self-signed certificates.
No comments:
Post a Comment