The HttpSslModule supports SSL certificates in Nginx although it is not enabled by default. This guide explains how to configure it for use.
Part I - Preparing Your SSL Certificate
Nginx is similar to Apache on its install, however the intermediate and root certificates in the chain are specified separately as they are in Apache. In order to successfully install your SSL certificate, you must create a 'bundle file' that contains your SSL certificate, the intermediate certificate and the root certificate in one file. Part I of this document will explain how to create this 'bundle file' in the correct order.
- First you must obtain your certificate in PEM format. By default, QuoVadis issues certificates in this format. You must convert this file if you have your SSL certificate in a different format.
Note: QuoVadis provides a conversion tool at https://pkiwidgets.quovadisglobal.com/pkiwidgets/convertCert.aspx.
You must now create a 'bundle file' that contain the certificates in the following order:
<The contents of your SSL certificate>
<The contents of the QuoVadis Global SSL ICA G2>
<The contents of the QuoVadis Root CA 2>
- In order to obtain the contents of your SSL Certificate, you will have to open you SSL certificate in a simple text editor.
- Once your certificate is opened in a text editor, copy all of the text, including the 'BEGIN' and 'END' lines as shown in the example above.
- Open a new text document using your simple text editor and paste in your SSL certificate you have just copied.
- You will need to insert the PEM formatted contents of the QuoVadis Global SSL ICA G2 certificate and the PEM formatted contents of the QuoVadis Root CA 2 certificate below your SSL certificate contents as shown in the example. You can obtain these from http://www.quovadisglobal.com/QVRepository/DownloadRootsAndCRL/QuoVadisGlobalSSLICAG2-PEM.aspx and http://www.quovadisglobal.com/en-GB/QVRepository/DownloadRootsAndCRL/QuoVadisRootCA2-PEM.aspx respectively.
- Once you have done this, you must save the 'bundle file' with a *.crt file extension.
- Upload this file along with your private key to a directory on the Nginx server. In most cases the certificate and private key are uploaded to the /usr/local/nginx/conf/ folder.
Part II - Installing Your SSL Certificate
You must ensure that Nginx is built with the HttpSslModule. You can do this by giving it the --with-http-ssl-module parameter to ./configure.
Note: Building this module requires the OpenSSL library and the respective include files.
- Open the Nginx configuration file and include the following in it:
- You must insert the path of the ssl_certificate directive to where your 'bundle file' that was created in Part I is located. You must also insert the path if the ssl_certificate_key directive to where you private key file is.
- Once you have done this, save the Nginx configuration.
- You must now restart Nginx.
OCSP Stapling Support
Although optional, it is highly recommended to enable OCSP Stapling which will improve the SSL handshake speed of your website. NginX has OCSP Stapling functionality enabled since version 1.3.7.
In order to use OCSP Stapling in NginX, you must set the following in your configuration:
## OCSP Stapling
Where <file> is the name location and filename of the certificate installed.
Note: For ssl_stapling_verify and ssl_stapling to work, you must ensure that all necessary intermediates and root certificates are installed.
Note: The resolver name may change based on your environment.
You can read up more on OCSP Stapling at What is OCSP Stapling.