Nginx Generate Key From Crt

17.12.2020
73 Comments

Dec 17, 2018  Create an SSL certificate You can create your own SSL certificate with the OpenSSL binary. A certificate request can then be sent to a certificate authority (CA) to get it signed into a certificate, or if you have your own certificate authority, you may sign it yourself, or you can use a self-signed certificate (because you just want a test certificate or because you are setting up your own CA).

Related

Nginx Generate Key From Crt Tool

How To Set Up Password Authentication with Nginx on Ubuntu 14.04 Tutorial
  1. Sslcertificate should be your primary certificate combined with the intermediate certificate that you made in the previous step (e.g., yourdomainname.crt). Sslcertificatekey should be the.key file generated when you created the CSR. Restart Nginx. Run the following command to restart Nginx.
  2. Create a CSR using OpenSSL & install your SSL certificate on your Nginx server. Use the instructions on this page to use OpenSSL to create your certificate signing request (CSR) and then to install your SSL certificate on your Nginx server.
  3. I was just given an.pfx private key, and to my knowledge Nginx does not support this key format. So let's convert it to an.rsa file format. If you are on linux, this is super easy using the command line openssl program. If you are on Windows, I have no idea how to do that. But you could probably upload the.pfx file to the.nix server that is running your Nginx instance, and convert the file.
  4. Jun 08, 2012 How To Create a SSL Certificate on nginx for CentOS 6. Sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt. Generate a keypair.
  5. Thanks to everyone who's left updated comments, here: @rmdort, @minhhahl, @dltj, @dylanvalade.You've all been a huge help! I've recently chained all 4 files together, and things seem to be ok, but I do also get the Chain issues Contains anchor warning at the SSL labs test.
How To Create an AppArmor Profile for Nginx on Ubuntu 14.04 Tutorial

Introduction

TLS, or transport layer security, and its predecessor SSL, which stands for secure sockets layer, are web protocols used to wrap normal traffic in a protected, encrypted wrapper.

Using this technology, servers can send traffic safely between the server and the client without the concern that the messages will be intercepted and read by an outside party. The certificate system also assists users in verifying the identity of the sites that they are connecting with.

In this guide, we will show you how to set up a self-signed SSL certificate for use with an Nginx web server on an Ubuntu 14.04 server. A self-signed certificate will not validate the identity of your server for your users since it is not signed by one of their web browser’s trusted certificate authorities, but it will allow you to encrypt communications with your web clients.

Note: You may want to consider using Let’s Encrypt instead of a self-signed certificate. Let’s Encrypt is a new certificate authority that issues free SSL/TLS certificates that are trusted in most web browsers. Check out the tutorial to get started: How To Secure Nginx with Let’s Encrypt on Ubuntu 14.04

Prerequisites

To get started on this guide, you will need to set up some basic things on your server.

You should have a non-root user available who has sudo privileges. You can learn how to set up such a user account by following steps 1-4 in our initial server setup for Ubuntu 14.04.

After that, you’ll also need to have the Nginx web server installed. If you would like to install an entire LEMP (Linux, Nginx, MySQL, PHP) stack on your server, you can follow our guide on setting up LEMP on Ubuntu 14.04.

If you just want the Nginx web server, you can instead just type:

Step One — Create the SSL Certificate

We can start off by creating a directory that will be used to hold all of our SSL information. We should create this under the Nginx configuration directory:

Now that we have a location to place our files, we can create the SSL key and certificate files in one motion by typing:

You will be asked a series of questions. Before we go over that, let’s take a look at what is happening in the command we are issuing:

  • openssl: This is the basic command line tool for creating and managing OpenSSL certificates, keys, and other files.
  • req: This subcommand specifies that we want to use X.509 certificate signing request (CSR) management. The “X.509” is a public key infrastructure standard that SSL and TLS adheres to for its key and certificate management. We want to create a new X.509 cert, so we are using this subcommand.
  • -x509: This further modifies the previous subcommand by telling the utility that we want to make a self-signed certificate instead of generating a certificate signing request, as would normally happen.
  • -nodes: This tells OpenSSL to skip the option to secure our certificate with a passphrase. We need Nginx to be able to read the file, without user intervention, when the server starts up. A passphrase would prevent this from happening because we would have to enter it after every restart.
  • -days 365: This option sets the length of time that the certificate will be considered valid. We set it for one year here.
  • -newkey rsa:2048: This specifies that we want to generate a new certificate and a new key at the same time. We did not create the key that is required to sign the certificate in a previous step, so we need to create it along with the certificate. The rsa:2048 portion tells it to make an RSA key that is 2048 bits long.
  • -keyout: This line tells OpenSSL where to place the generated private key file that we are creating.
  • -out: This tells OpenSSL where to place the certificate that we are creating.

As we stated above, these options will create both a key file and a certificate. We will be asked a few questions about our server in order to embed the information correctly in the certificate.

Fill out the prompts appropriately. The most important line is the one that requests the Common Name (e.g. server FQDN or YOUR name). You need to enter the domain name that you want to be associated with your server. You can enter the public IP address instead if you do not have a domain name.

The entirety of the prompts will look something like this:

Both of the files you created will be placed in the /etc/nginx/ssl directory.

Step Two — Configure Nginx to Use SSL

We have created our key and certificate files under the Nginx configuration directory. Now we just need to modify our Nginx configuration to take advantage of these by adjusting our server block files. You can learn more about Nginx server blocks in this article.

Nginx versions 0.7.14 and above (Ubuntu 14.04 ships with version 1.4.6) can enable SSL within the same server block as regular HTTP traffic. This allows us to configure access to the same site in a much more succinct manner.

Your server block may look something like this:

The only thing we would need to do to get SSL working on this same server block, while still allowing regular HTTP connections, is add a these lines:

When you are finished, save and close the file.

Now, all you have to do is restart Nginx to use your new settings:

This should reload your site configuration, now allowing it to respond to both HTTP and HTTPS (SSL) requests.

Step Three — Test your Setup

Your site should now have SSL functionality, but we should test it to make sure.

First, let’s test to make sure we can still access the site with using normal HTTP. In your web browser, go to your server’s domain name or IP address:

You should see your normal website. In my example, I’m just serving the default Nginx page:

If you get this page, then your server is still handling HTTP requests correctly.

Now, we can check whether our server can use SSL to communicate. Do this by specifying the https protocol instead of the http protocol.

You will likely get a warning in your web browser that looks something like this:

This is expected. It is telling you that it cannot verify the identity of the server you are trying to connect to because it isn’t signed by a certificate authority that the browser has been configured to trust. Since we created a self-signed certificate, this makes perfect sense.

Click on “Proceed anyway”, “Continue”, or whatever similar option is available. You should see your site again:

Your browser may show the “https” crossed out in the address bar or a broken or crossed out “lock” icon. If you click on the lock icon, you can see some more information about the connection:

As you can see, the issue is only that the browser cannot verify the identity of the server because it isn’t signed by a certificate authority that it is configured to trust. The middle section shows that the connection is encrypted, however, so we have achieved that goal.

Generate Key Code

Conclusion

You have configured your Nginx server to handle both HTTP and SSL requests. This will help you communicate with clients securely and avoid outside parties from being able to read your traffic.

If you are planning on using SSL for a public website, you should probably purchase an SSL certificate from a trusted certificate authority to prevent the scary warnings from being shown to each of your visitors.

Create a CSR using OpenSSL & install your SSL certificate on your Nginx server

Use the instructions on this page to use OpenSSL to create your certificate signing request (CSR) and then to install your SSL certificate on your Nginx server.

Restart Note: After you've installed your SSL/TLS certificate and configured the server to use it, you must restart your Nginx instance.

  1. To create your certificate signing request (CSR), see Nginx: Creating Your CSR with OpenSSL.

  2. To install your SSL certificate, see Nginx: Installing & Configuring Your SSL Certificate.

I. Nginx: Creating Your CSR with OpenSSL

Use the instructions in this section to create your own shell commands for generating your Nginx CSR using OpenSSL.

Recommended: Save yourself some time. Use the DigiCert OpenSSL CSR Wizard to generate an OpenSSL command for creating your Nginx CSR. Just fill out the form, click Generate, and then paste your customized OpenSSL command into your terminal.

How to Generate a CSR for Nginx Using OpenSSL

If you prefer to build your own shell commands to generate your Nginx CSR, follow the instructions below.

  1. Log in to your server via your terminal client (ssh).

  2. Run Command

    At the prompt, type the following command:

    Note: Make sure to replace server with the name of your server.

    openssl req –new –newkey rsa:2048 –nodes –keyout server.key –out server.csr

  3. Generate Files

    1. You've now started the process for generating the following two files:

      • Private-Key File: Used to generate the CSR and later to secure and verify connections using the certificate.
      • Certificate Signing Request (CSR) file: Used to order your SSL certificate and later to encrypt messages that only its corresponding private key can decrypt.

    2. When prompted for the Common Name (domain name), type the fully qualified domain (FQDN) for the site that you are going to secure.

      Note: If you're generating a Nginx CSR for a Wildcard certificate, make sure your common name starts with an asterisk (e.g., *.example.com). Generated ssh key which one do i keep on local.

    3. When prompted, type your organizational information, beginning with your geographic information.

      Note: You may have already set up default information.

    4. Now, your .csr file will be created.

  4. Order Your SSL/TLS Certificate

    1. Open the .csr file that you created with a text editor.

    2. Copy the text, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags, and paste it in to the DigiCert order form.

  5. Save Private Key

    Save (back up) the generated .key file. You'll need it later when installing your SSL certificate.

  6. Install Certificate

    After you've received your SSL certificate from DigiCert, you can install it on your server.

II. Nginx: Installing & Configuring Your SSL Certificate

If you still need to create a certificate signing request (CSR) and order your certificate, see Nginx: Creating Your CSR with OpenSSL.

After we've validated and issued your SSL certificate, you can install it on the Nginx server where the CSR was generated and configure the server to use it.

How to Install and Configure Your SSL Certificate

  1. Primary and intermediate certificates

  2. Note: Make them readable by root only to increase security.

  3. Concatenate the primary and intermediate certificates

    1. You need to concatenate your primary certificate file (your_domain_name.crt) and the intermediate certificate file (DigiCertCA.crt) into a single .pem file.

    2. To concatenate the files, run the following command:

      cat your_domain_name.crt DigiCertCA.crt >> bundle.crt

  4. Edit the Nginx virtual hosts file

    1. Open your Nginx virtual host file for the website you're securing.

    2. Make a copy of the existing non-secure server module and paste it below the original.

      Note: If you need your site to be accessible through both secure (https) and non-secure (http) connections, you'll need a server module for each type of connection.

    3. Next, add the lines in bold below:

      server {
      listen 443;
      ssl on;
      ssl_certificate /etc/ssl/your_domain_name.pem;       (or bundle.crt)
      ssl_certificate_key /etc/ssl/your_domain_name.key;
      server_name your.domain.com;
      access_log /var/log/nginx/nginx.vhost.access.log;
      error_log /var/log/nginx/nginx.vhost.error.log;
      location / {
      root /home/www/public_html/your.domain.com/public/;
      index index.html;
      }
      }

    4. Adjust the file names to match your certificate files:

      • ssl_certificate should be your primary certificate combined with the intermediate certificate that you made in the previous step (e.g., your_domain_name.crt).

      • ssl_certificate_key should be the .key file generated when you created the CSR.

  5. Restart Nginx.

    Run the following command to restart Nginx:

  6. Congratulations! You've successfully installed your SSL certificate.

    7. Troubleshooting:

    1. Use the DigiCert® SSL Installation Diagnostics Tool

      If your website is publicly accessible, our SSL Certificate Checker can help you diagnose common problems.

    2. Use a browser and visit your site

      Open a web browser and visit your site using https. We recommend testing your site with Firefox; this browser will give you a warning if your intermediate certificate is not installed. You shouldn't receive any browser warnings or errors.

      1. If you immediately receive a browser message about the site not being available, then Nginx may not yet be listening on port 443.

      2. If your web request takes a very long time and times out, a firewall may be blocking traffic on TCP port 443 to the web server.

      3. If you receive a 'not trusted' warning, view the certificate to see if it is the certificate you expect.

        • When you view the certificate, check the Subject, Issuer, and Valid To fields

        • If you had to concatenate the certificate files, your primary certificate (e.g., your_domain_name.crt) may not be correctly combined with the intermediate certificate.

    3. For more information, see the Nginx SSL documentation.

    Nginx Server Configuration

    For information about Nginx server configurations that can strengthen your SSL environment: