How to Install StartSSL Class 1 Certificate on Nginx

This tutorial shows how to install StartSSL class 1 certificate on Nginx. StartSSL provides class 1 certificates free of charge. It can be obtained by verifying an email address associated with the domain name. If you want to get viewer trust on your website and you want to do it for free, StartSSL class 1 certificate is the answer.

Before I get started, I’m going to assume that you’ve followed my LEMP server setup tutorial to configure your server and created virtual host file for domain you want SSL to be enabled.

Let’s start by creating a temporary directory and navigating to it,

sudo mkdir temp
cd temp

Create a private key by running following command, it’ll ask you for a passphrase. Enter something you can remember as you’ll need it in the next step. You can replace example with something you’re familiar with. May be your domain name.

sudo openssl genrsa -des3 -out example.key 2048

Let’s remove the passphrase,

sudo cp example.key example.key.org
sudo openssl rsa -in example.key.org -out example.key

Finally, before you head over to StartSSL, you must create a Certificate Signing Request (CSR) within your server. Following command should take care of that,

sudo openssl req -new -key example.key -out example.csr

Next step is to obtain the class 1 SSL certificate from StartSSL. StartSSL will give you 3 files to host on the server. Save all three files to your computer and come back here to continue Nginx configuration.

Upon successful creation of StartSSL certificate, you’ll be given 3 files. Which are, ssl.crt, sub.class1.server.ca.pem and ca.pem. To use these files with Nginx, you must merge them in an order that ssl.crt comes first. Rather than doing it locally on your PC and uploading it to the server, you can create a new file on server and paste content from those files easily. So let’s create a new file,

sudo nano example.crt

Now paste content from ssl.crt, sub.class1.server.ca.pem and then ca.pem. Press Ctrl+X to save changes and exit.

Ubuntu has standard locations for SSL certificates, you should copy private key and certificate file to those directories.

sudo cp example.crt /etc/ssl/certs/
sudo cp example.key /etc/ssl/private/

Finally, let’s configure Nginx virtual host for the domain to enable SSL support. Open virtual host file,

sudo nano /etc/nginx/sites-available/example.com

Add following line before the line that reads server_name example.com www.example.com;

listen 443;

Add folowing lines after the server_name example.com www.example.com;

ssl    on;
        ssl_session_timeout  5m;
        ssl_protocols  SSLv2 SSLv3 TLSv1;
        ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
        ssl_prefer_server_ciphers   on;

        ssl_certificate        /etc/ssl/certs/example.crt;
        ssl_certificate_key    /etc/ssl/private/example.key;

Final code should look like this,

server {
        listen 443;
        server_name example.com www.example.com;

        ssl    on;
        ssl_session_timeout  5m;
        ssl_protocols  SSLv2 SSLv3 TLSv1;
        ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
        ssl_prefer_server_ciphers   on;

        ssl_certificate        /etc/ssl/certs/example.crt;
        ssl_certificate_key    /etc/ssl/private/example.key;
        [....rest....]

Restarting Nginx will enable SSL certificate for your domain,

sudo service nginx restart

Now open your domain on your favorite browser to see if it’s working. You might have to delete your browser cache to request a fresh page from the server. If you’ve followed my instruction correctly, you’ll see a green locked padlock icon next to your domain name.

Tharindu

Hey!! I'm Tharindu. I'm from Sri Lanka. I'm a part time freelancer and this is my blog where I write about everything I think might be useful to readers. If you read a tutorial here and want to hire me, contact me here.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button

We use cookies to give you the best online experience. By agreeing you accept the use of cookies in accordance with our cookie policy.