This tutorial shows how to install StartSSL class 1 certificate on Nginx. StartSSL provides class 1 certificates free of charge. It can be obtained by verifying an email address associated with the domain name. If you want to get viewer trust on your website and you want to do it for free, StartSSL class 1 certificate is the answer.
Before I get started, I’m going to assume that you’ve followed my LEMP server setup tutorial to configure your server and created virtual host file for domain you want SSL to be enabled.
Let’s start by creating a temporary directory and navigating to it,
sudo mkdir temp cd temp
Create a private key by running following command, it’ll ask you for a passphrase. Enter something you can remember as you’ll need it in the next step. You can replace example with something you’re familiar with. May be your domain name.
sudo openssl genrsa -des3 -out example.key 2048
Let’s remove the passphrase,
sudo cp example.key example.key.org sudo openssl rsa -in example.key.org -out example.key
Finally, before you head over to StartSSL, you must create a Certificate Signing Request (CSR) within your server. Following command should take care of that,
sudo openssl req -new -key example.key -out example.csr
Next step is to obtain the class 1 SSL certificate from StartSSL. StartSSL will give you 3 files to host on the server. Save all three files to your computer and come back here to continue Nginx configuration.
Upon successful creation of StartSSL certificate, you’ll be given 3 files. Which are, ssl.crt, sub.class1.server.ca.pem and ca.pem. To use these files with Nginx, you must merge them in an order that ssl.crt comes first. Rather than doing it locally on your PC and uploading it to the server, you can create a new file on server and paste content from those files easily. So let’s create a new file,
sudo nano example.crt
Now paste content from ssl.crt, sub.class1.server.ca.pem and then ca.pem. Press Ctrl+X to save changes and exit.
Ubuntu has standard locations for SSL certificates, you should copy private key and certificate file to those directories.
sudo cp example.crt /etc/ssl/certs/ sudo cp example.key /etc/ssl/private/
Finally, let’s configure Nginx virtual host for the domain to enable SSL support. Open virtual host file,
sudo nano /etc/nginx/sites-available/example.com
Add following line before the line that reads server_name example.com www.example.com;
listen 443;
Add folowing lines after the server_name example.com www.example.com;
ssl on; ssl_session_timeout 5m; ssl_protocols SSLv2 SSLv3 TLSv1; ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; ssl_prefer_server_ciphers on; ssl_certificate /etc/ssl/certs/example.crt; ssl_certificate_key /etc/ssl/private/example.key;
Final code should look like this,
server { listen 443; server_name example.com www.example.com; ssl on; ssl_session_timeout 5m; ssl_protocols SSLv2 SSLv3 TLSv1; ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; ssl_prefer_server_ciphers on; ssl_certificate /etc/ssl/certs/example.crt; ssl_certificate_key /etc/ssl/private/example.key; [....rest....]
Restarting Nginx will enable SSL certificate for your domain,
sudo service nginx restart
Now open your domain on your favorite browser to see if it’s working. You might have to delete your browser cache to request a fresh page from the server. If you’ve followed my instruction correctly, you’ll see a green locked padlock icon next to your domain name.