There was a time when nobody cared about SSL. Nowadays it is vital that your website is SSL-enabled. Latest versions of browsers mark websites without SSL as insecure. Moreover, Google search gives a little bit higher priority to websites with SSL.
Honestly, it’s sort of lame if you run a website and do not provide SSL. Gone are those days where SSL was expensive. You can get an entry-level SSL certificate for as low as $8 to $12 (depending on the vendor and seller) per year.
What has not changed though is the tricky part of setting up the SSL certificate on a server. If you use services of a system administrator of course he or she can setup SSL for you. But heck, even for them it’s a pain in the neck. Below you can find very simple, step by step instructions to setup SSL on Nginx web server. If you use a different web server, first steps still apply. Though the last step of installation is different and depends on the web server.
For the final steps we assume that our SSL vendor is Comodo. For other brands the last step may differe slightly.
Step 1. Generate CSR
Regardless of the web server and the brand of SSL, the very first step is to generate a CSR (Certificate Signing Request). Some sellers will ask for CSR before ordering and some will ask immediately after order. So, let’s generate CSR first.
You have two options for generating CSR. The first is to use OpenSSL and the second is to use this online service. There is one more way to generate CSR if you happen to be using IIS. I will show you how to use option one – OpenSSL.
openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr
Basically this command will generate two files. One is CSR (yourdomain.csr) and the other is a private key (yourdomain.key). After we finish, you can delete the CSR file. Keep the private key secure though.
Step 2. Purchase SSL Certificate
This step depends on the seller. Normally the companies that issue SSL certificates do not sell them directly. Rather, there are numerous sellers from whom you can purchase SSL certificates. Regardless the seller, you need the CSR generated in step 1 either to place an order or to complete the order. So, your seller at some point will ask for CSR. Afterwards, you will have to confirm that you actually own the domain. For this you need to provide an email address (normally it should be admin@yourdomain.com, hostmaster@yourdomain.com or postmaster@yourdomain.com) where a special link will be sent. Once you click the link, your domain is considered verified and you will receive the SSL certificate shortly.
Step 3. Preparing the SSL Certificate
Normally when you install a comodo certificate you also need to include a so called Root CA Certificate and Intermediate CA Certificates. Comodo used to sent these files separately. So you would get 4 different files.
AddTrustExternalCARoot.crt (Root CA Certificate)
COMODORSAAddTrustCA.crt (Intermediate CA Certificate)
COMODORSADomainValidationSecureServerCA.crt (Intermediate CA Certificate)
Your Certificate – yourdomain.crt
These days you normally get two files. The bundle of the first three and your certificate.
For Nginx you need to combine them into a single certificate file. On Linux and Mac you open a terminal and use the cat command.
cat yourdomain.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > yourdomain-bundle.crt
If you get only two files (your certificate and a bundled version of the three files normally named as yourdomain.ca-bundle) you can use the same approach
cat yourdomain.crt yourdomain.ca-bundle > yourdomain-bundle.crt
The only important thing here is to keep the order. Your domain must be first!
Step 4. Installing the Certificate
Upload the private key (generated from Step 1) and the yourdomain-bundle.crt file (generated in Step 3) to your server and copy it to the /etc/nginx/ssl/ folder.
Now we need to tell Nginx to actually use the SSL certificate. Modify the config file for your site and add the following to the server section.
server {
listen 443;
ssl on;
ssl_certificate /etc/nginx/ssl/yourdomain-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/yourdomain.key;
# side note: only use TLS since SSLv2 and SSLv3
# have had recent vulnerabilities
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}