Articles in Root

How do I install an SSL Certificate into Nginx?

Problem

How do I install an SSL Certificate into Nginx?

Solution

The HttpSslModule supports SSL certificates in Nginx although it is not enabled by default.  This guide explains how to configure it for use.

Part I - Preparing Your SSL Certificate

Nginx is similar to Apache on its install, however the intermediate and root certificates in the chain are specified separately as they are in Apache.  In order to successfully install your SSL certificate, you must create a 'bundle file' that contains your SSL certificate, the intermediate certificate and the root certificate in one file.  Part I of this document will explain how to create this 'bundle file' in the correct order.

  1. First you must obtain your certificate in PEM format.  By default, QuoVadis issues certificates in this format.  You must convert this file if you have your SSL certificate in a different format.

  2. Note: QuoVadis provides a conversion tool at https://pkiwidgets.quovadisglobal.com/pkiwidgets/convertCert.aspx.

    You must now create a 'bundle file' that contain the certificates in the following order:

    -----BEGIN CERTIFICATE-----
    <The contents of your SSL certificate>
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    <The contents of the QuoVadis Global SSL ICA G2>
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    <The contents of the QuoVadis Root CA 2>
    -----END CERTIFICATE-----

  3. In order to obtain the contents of your SSL Certificate, you will have to open you SSL certificate in a simple text editor.

  4. Once your certificate is opened in a text editor, copy all of the text, including the 'BEGIN' and 'END' lines as shown in the example above.

  5. Open a new text document using your simple text editor and paste in your SSL certificate you have just copied.

  6. You will need to insert the PEM formatted contents of the QuoVadis Global SSL ICA G2 certificate and the PEM formatted contents of the QuoVadis Root CA 2 certificate below your SSL certificate contents as shown in the example.  You can obtain these from http://www.quovadisglobal.com/QVRepository/DownloadRootsAndCRL/QuoVadisGlobalSSLICAG2-PEM.aspx and http://www.quovadisglobal.com/en-GB/QVRepository/DownloadRootsAndCRL/QuoVadisRootCA2-PEM.aspx respectively.

  7. Once you have done this, you must save the 'bundle file' with a *.crt file extension.

  8. Upload this file along with your private key to a directory on the Nginx server. In most cases the certificate and private key are uploaded to the /usr/local/nginx/conf/ folder.

  9. Note: For your convenience, you can obtain the 'bundle file' with the QuoVadis Global SSL ICA G2 and the QuoVadis Root CA 2 certificate already created from here.  You will need to add in your SSL certificate contents to this file.

Part II - Installing Your SSL Certificate

You must ensure that Nginx is built with the HttpSslModule.  You can do this by giving it the --with-http-ssl-module parameter to ./configure.
Note: Building this module requires the OpenSSL library and the respective include files.

  1. Open the Nginx configuration file  and include the following in it:

    server {
        server_name your_domain_name;
        listen 443;
        ssl on;
        ssl_certificate /usr/local/nginx/conf/certificate_bundle.crt;
        ssl_certificate_key /usr/local/nginx/conf/your_private_key.key;
    }

  2. Note: The parts of the syntax above that are in bold will have to be edited to match your personal configuration.

  3. You must insert the path of the ssl_certificate directive to where your 'bundle file' that was created in Part I is located.  You must also insert the path if the ssl_certificate_key directive to where you private key file is.

  4. Tip: To reduce CPU load, the wiki at Nginx recommends that you run one worker process only and enable keep alive connections by using the code keepalive_timeout n; syntax where n is a number.

  5. Once you have done this, save the Nginx configuration.

  6. You must now restart Nginx.

OCSP Stapling Support

Although optional, it is highly recommended to enable OCSP Stapling which will improve the SSL handshake speed of your website.  NginX has OCSP Stapling functionality enabled since version 1.3.7.

In order to use OCSP Stapling in NginX, you must set the following in your configuration:

## OCSP Stapling
resolver 127.0.0.1;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate <file>;


Where <file> is the name location and filename of the certificate installed.

Note:  For ssl_stapling_verify and ssl_stapling to work, you must ensure that all necessary intermediates and root certificates are installed.
Note:  The resolver name may change based on your environment.

You can read up more on OCSP Stapling at https://support.quovadisglobal.com/KB/a415/what-is-ocsp-stapling.aspx.