Solution
The HttpSslModule supports SSL certificates in Nginx although it is not
enabled by default. This guide explains how to configure it for use.
Part I - Preparing Your SSL Certificate
Nginx is similar to Apache on its install, however the intermediate and
root certificates in the chain are specified separately as they are in
Apache. In order to successfully install your SSL certificate, you must
create a 'bundle file' that contains your SSL certificate, the
intermediate certificate and the root certificate in one file. Part I
of this document will explain how to create this 'bundle file' in the
correct order.
- First you must obtain your certificate in PEM format. By
default, QuoVadis issues certificates in this format. You must convert
this file if you have your SSL certificate in a different format.
Note: QuoVadis provides a conversion tool at https://pkiwidgets.quovadisglobal.com/pkiwidgets/convertCert.aspx.
You must now create a 'bundle file' that contain the certificates in the following order:
-----BEGIN CERTIFICATE-----
<The contents of your SSL certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<The contents of the QuoVadis Global SSL ICA G2>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<The contents of the QuoVadis Root CA 2>
-----END CERTIFICATE-----
- In order to obtain the contents of your SSL Certificate, you will have to open you SSL certificate in a simple text editor.
- Once your certificate is opened in a text editor, copy all of
the text, including the 'BEGIN' and 'END' lines as shown in the example
above.
- Open a new text document using your simple text editor and paste in your SSL certificate you have just copied.
- You will need to insert the PEM formatted contents of the
QuoVadis Global SSL ICA G2 certificate and the PEM formatted contents of
the QuoVadis Root CA 2 certificate below your SSL certificate contents
as shown in the example. You can obtain these from http://www.quovadisglobal.com/QVRepository/DownloadRootsAndCRL/QuoVadisGlobalSSLICAG2-PEM.aspx and http://www.quovadisglobal.com/en-GB/QVRepository/DownloadRootsAndCRL/QuoVadisRootCA2-PEM.aspx respectively.
- Once you have done this, you must save the 'bundle file' with a *.crt file extension.
- Upload this file along with your private key to a directory on
the Nginx server. In most cases the certificate and private key are
uploaded to the /usr/local/nginx/conf/ folder.
Note: For your convenience, you can obtain the
'bundle file' with the QuoVadis Global SSL ICA G2 and the QuoVadis Root
CA 2 certificate already created from here. You will need to add in your SSL certificate contents to this file.
Part II - Installing Your SSL Certificate
You must ensure that Nginx is built with the HttpSslModule. You can do this by giving it the --with-http-ssl-module parameter to ./configure.
Note: Building this module requires the OpenSSL library and the respective include files.
- Open the Nginx configuration file and include the following in it:
server {
server_name your_domain_name;
listen 443;
ssl on;
ssl_certificate /usr/local/nginx/conf/certificate_bundle.crt;
ssl_certificate_key /usr/local/nginx/conf/your_private_key.key;
}
Note: The parts of the syntax above that are in bold will have to be edited to match your personal configuration.
- You must insert the path of the ssl_certificate directive to
where your 'bundle file' that was created in Part I is located. You
must also insert the path if the ssl_certificate_key directive to where
you private key file is.
Tip: To reduce CPU load, the wiki at Nginx recommends that you
run one worker process only and enable keep alive connections by using
the code keepalive_timeout n;
syntax where n is a number.
- Once you have done this, save the Nginx configuration.
- You must now restart Nginx.
OCSP Stapling Support
Although optional, it is highly recommended to enable OCSP Stapling
which will improve the SSL handshake speed of your website. NginX has
OCSP Stapling functionality enabled since version 1.3.7.
In order to use OCSP Stapling in NginX, you must set the following in your configuration:
## OCSP Stapling
resolver 127.0.0.1;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate <file>;
Where <file> is the name location and filename of the certificate installed.
Note: For ssl_stapling_verify and ssl_stapling to
work, you must ensure that all necessary intermediates and root
certificates are installed.
Note: The resolver name may change based on your environment.
You can read up more on OCSP Stapling at https://support.quovadisglobal.com/KB/a415/what-is-ocsp-stapling.aspx.