Updated on 2024-12-13 GMT+08:00

Installing an SSL Certificate on an Nginx Server

This section describes how to install an SSL certificate on an Nginx 1.7.8 server running CentOS 7. The installation process is similar for other Nginx servers. When the certificate is installed, it secures communication between your server and the client through SSL.

The installation procedure in this topic is for your reference only as the commands executed and configuration file modified during the installation may vary depending on OS types and server configurations.

Prerequisites

  • The certificate is in the Issued status.
  • You have downloaded the SSL certificate. For details, see Downloading a Certificate.

Constraints

  • Before installing the certificate, enable port 443 on the server where the SSL certificate is installed and add port 443 to the security group. Otherwise, HTTPS cannot be enabled after the installation.
  • If a domain name maps to multiple servers, deploy the certificate on each server.
  • The domain name to be run on the target server must be the same as the one associated with the certificate. Otherwise, the web browser will display a message indicating that the domain name is insecure.

Step 1: Obtaining Files

Before installing a certificate, obtain the certificate file and password file. Perform the following operations based on the value selected for CSR when applying for a certificate:

  • If you select System generated CSR for CSR when applying for a certificate, perform the operations according to the instructions in System generated CSR.
  • If you select Upload a CSR for CSR when applying for a certificate, perform the operations according to the instructions in Upload a CSR.

Detailed operations are as follows:

  • System generated CSR
    1. Decompress the downloaded certificate file on your local PC.
      The downloaded file contains the Apache, IIS, Nginx, and Tomcat folders as well as the domain.csr file, as shown in Figure 1.
      Figure 1 Decompressing an SSL certificate package on a local computer
    2. Obtain the certificate file Certificate ID_Domain name bound to the certificate_server.crt and private key file Certificate ID_Domain name bound to the certificate_server.key from Certificate ID_Domain name bound to the certificate_Nginx.
      • The Certificate ID_Domain name bound to the certificate_server.crt file contains two segments of certificate codes -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----, which are the server certificate and intermediate CA certificate respectively.
      • The Certificate ID_Domain name bound to the certificate_server.key file contains a segment of private key code -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----.
  • Upload a CSR
    1. Decompress the downloaded certificate package to obtain the Certificate ID_Domain name bound to the certificate_server.pem file.

      The Certificate ID_Domain name bound to the certificate_server.pem file contains two segments of certificate codes -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----, which are the server certificate and intermediate CA certificate respectively.

    2. Change the suffix of Certificate ID_Domain name bound to the certificate_server.pem to crt, that is, server.crt.
    3. Place server.crt and the server.key private key generated during CSR generation in the same folder.

Step 2: Creating a Directory

Create the cert directory in the Nginx installation directory conf for storing certificate files.

  1. Run the following command to go to the conf in the Nginx installation directory:

    The default Nginx configuration file directory /usr/local/nginx/conf is used as an example. Replace it with the actual directory.

    cd /usr/local/nginx/conf

  2. Run the following command to create a cert directory.

    mkdir cert

Step 3: Uploading the Certificate File

Upload the local server.key and server.crt certificate files obtained in step 1 to the certificate directory (cert directory created in step 2) on the Nginx server.

Upload method:

  • If you use an ECS, see Uploading a File to the ECS to learn how to upload files.
  • For other servers, you can use the local file upload function provided by a remote login tool (such as PuTTY and Xshell) to upload files.

Step 4: Modifying Configuration Files

Before modifying the configuration file, back up the configuration file. You are advised to deploy the configuration file in the test environment and then configure it on the production environment to avoid service interruptions caused by incorrect configurations.

Configure the nginx.conf file in the conf directory of Nginx.

  1. Find the following configuration:
    #server {
    #    listen       443 ssl;
    #    server_name  localhost;
    #    ssl_certificate      cert.pem;
    #    ssl_certificate_key  cert.key;
    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;
    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;
    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}
  2. Delete comment tags (#) at the beginning of the lines.
    server {  
                 listen              443 ssl;  
                 server_name         localhost;
                 ssl_certificate     cert.pem;  
                 ssl_certificate_key cert.key;
                 ssl_session_cache   shared:SSL:1m;  
                 ssl_session_timeout 5m;  
                 ssl_ciphers         HIGH:!aNULL:!MD5;         
                 ssl_prefer_server_ciphers  on;  
                 location / {  
                            root     html; 
                            index    index.html index.htm;  
                             }  
    }
  3. Modify the following parameters according to Table 1.
    ssl_certificate          cert/server.crt;    
    ssl_certificate_key      cert/server.key;   

    The complete configuration is as follows. Modify other parameters based on your needs.

    server {
            listen       443 ssl; # Set the default HTTPS port to 443. If the default HTTPS port is not configured, Nginx may fail to start.
            server_name  www.domain.com; #Replace www.domain.com with the domain name associated with your certificate.
            ssl_certificate      cert/server.crt; #Replace cert/server.crt with the path of the certificate file.
            ssl_certificate_key  cert/server.key; #Replace cert/server.key with the path of the private key.
            ssl_session_cache    shared:SSL:1m;
            ssl_session_timeout  5m;
            ssl_ciphers  HIGH:!aNULL:!MD5; #Encryption suite
            ssl_prefer_server_ciphers  on;
            location / {
                root   html; #Site directory
                index  index.html index.htm; #Add attributes.
                       }  
    }

    Do not directly copy all configuration. Only attributes starting with ssl are directly related to the certificate configuration. Modify other parameters based on site requirements.

    Table 1 Parameters

    Parameter

    Description

    listen

    SSL access port number. Set the value to 443.

    Set the default HTTPS port to 443. If the default HTTPS port is not configured, Nginx may fail to start.

    server_name

    Domain name which the certificate is used for. Example: www.domain.com

    ssl_certificate

    Certificate file server.crt

    Set the value to the path of the server.crt file. The path cannot contain Chinese characters. An example of the path is cert/server.crt.

    ssl_certificate_key

    Private key file server.key

    Set the value to the path of the server.key file. The path cannot contain Chinese characters. An example of the path is cert/server.key.

  4. Save the configuration file.

Step 5: Verifying the Configuration

Go to the execution directory of Nginx and run the following command:

sbin/nginx -t

If the following information is displayed, the configuration is correct.
nginx.conf syntax is ok
nginx.conf test is successful

Step 6: Restarting Nginx

Run the following command to restart Nginx to make the configuration take effect:

cd /usr/local/nginx/sbin

./nginx -s reload

Step 7: Verifying the Effect

After the deployment succeeds, in the address bar of the browser, enter https://Domain name and press Enter.

If a security padlock is displayed in the address bar of the browser, the certificate has been installed successfully.