Contact
Knowledgebase: Comodo
Certificate Installation: NGINX
Posted by Gareth S on 22 November 2012 10:08 AM

Certificate Installation: NGINX

Needed for this task:

  • PEM encoded certificates (Root, Intermediate(s) and Domain/Device)

Combine (Concatenate) multiple certificates into one file

Combining the certificates into one file can be accomplished in many ways. 

Note: Please be aware that the file names used in this article are for example purposes ONLY! 

Please modify accordingly to suit your needs based on the type of certificate you have.

If you're unsure what file names you should be using, then please consult our article: 
Which is Root? Which is Intermediate?
  1. If you have the individual certificate files (eg. AddTrustExternalCARoot.crt): 
    • Using the 'cat' command (found on Unix and Unix-like Operating Systems):
      • Syntax: cat Device/Entity Cert Intermediates (reverse order) Root >> ssl-bundle.crt
      • Example Syntax: cat www_yourdomain_com.crt ComodoHigh-AssuranceSecureServerCA.crt AddTrustExternalCARoot.crt >> ssl-bundle.crt

    • Using a GUI based text editor.
      • Copy contents of the files into ONE file in ascending order (opposite order of what is shown) as per our article: Which is Root? Which is Intermediate?
      • Save file as ssl-bundle.crt

  2. If you have a .crt and .ca-bundle: 
    • Using the cat command (found on Unix and Unix-like Operating Systems): 
      • Syntax: cat Device/Entity Cert Bundle
      • Example Syntax: cat www_yourdomain_com.crt www_yourdomain_com.ca-bundle >> ssl-bundle.crt

    • Using a GUI based text editor. 
      • Copy contents of: 'www_yourdomain_com.crt' into 'www_yourdomain_com.ca-bundle' on top of the existing text.
      • Save new file as ssl-bundle.crt.

Configure your nginx Virtual Host

* Move newly created ssl-bundle.crt to where you're saving cert files. e.g. /etc/ssl/certs/ 
* create/modify your website site's configuration file, which may be located in the following: 
* /etc/nginx/sites-available/ 
* /usr/local/nginx/sites-available/ 

Ensure it has the following: 
-- Set 'ssl' to on. 
-- Set 'listen' to your SSL port; typically 443. 
-- Set 'ssl_certificate' to the location of your site certificate. 
-- Set 'ssl_certificate_key' to the location of your private key. 

Optionally you can set the following: 
-- ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM; #Disables all weak ciphers
-- ssl_protocols SSLv3 TLSv1; #enables SSLv3/TLSv1, but not SSLv2 which is weak and should no longer be used.

Example of an SSL configured Virtual Host for nginx

server {
listen 443;

ssl on;
ssl_certificate /etc/ssl/certs/mysite_com.crt;
ssl_certificate_key /etc/ssl/private/mysite.key;
#enables SSLv3/TLSv1, but not SSLv2 which is weak and should no longer be used.
ssl_protocols SSLv3 TLSv1;
#Disables all weak ciphers
ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;

server_name mysite.com;
}

Related Articles

CSR Generation: Apache (using OpenSSL)
(0 vote(s))
This article was helpful
This article was not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Leave Your Feedback:
CAPTCHA Verification 
 
Please enter the text you see in the image into the textbox below. This is required to prevent automated registrations and form submissions.

© 2012 SSLHelpdesk.com All rights reserved • Privacy PolicyTerms of Service