How to configure a SSL certificate with Nginx

Hello all,

So you just got a Comodo Positive SSL or any other certificate for your amazing website? You are probably wondering how you can make it work with Nginx. This a post to explain some of those configurations.

We’ll start by guessing that you either generated a private key, or the place you bought the certificate from did it for you. Either way, you should have:

  • a file with the private key. We’ll call this file privkey.pem
  • One or more certificate files:
    • a .pem file, that we’ll call fullchain.pem
    • 2, 3 or 4 .crt files, that we’ll call AddTrustExternalCARoot.crt, COMODORSADomainValidationSecureServerCA.crt, COMODORSAAddTrustCA.crt and YourDomain.crt.

The way Nginx works (and Apache, for what’s worth), is that we must have a certificate file, and an optional private key file. The .pem file is nothing more than a file with the content of the .crt files inside. So, if you already have a .pem file, you already have the first step done. If you don’t, you need to create one. For that, we need to cat the .crt files content, from the lesser “authority” to the biggest, starting with your domain. For that, we do something like this:

cat YourDomain.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > fullchain.pem

Once you do this, you’ll have your pem file!

Now you need to copy both the pem file as the privatekey file to a safe location, for instance /etc/nginx/ssl, make sure that root owns that folder and all files inside it, and that the folder has 700 permissions, and the files 600.

Now you just need to go to your Nginx host configuration file, (usually at /etc/nginx/nginx.conf if you don’t have different hosts files), and edit the server tag that matches the one you’ll use the certificate in. These configurations must be written:

listen 443;
ssl on;
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;

You can always increase the security of your website by adding some recommended configurations, such as creating a Diffie-Hellman cipher, choosing only safe SSL ciphers and protocols, activating HTST, and taking care of SSL timeouts.

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#HSTS Security
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
#Chiphers
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:$
ssl_prefer_server_ciphers on;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# enable session resumption to improve https performance
# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;

If any of these configurations is news to you, you should definitely read some of the information SSL Labs has for you. You should also check you website configurations using their SSL Server Test. It’s a great help!

Well, that’s it for today. I hope you enjoy your new SSL certificate. Stay safe!

This entry was posted in Linux, Servers and tagged , , , , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.