In the past I’ve used PositiveSSL to enable SSL on my domains, you can find my old article at my other blog if you for some reason still want to use PositiveSSL. I purchased my PositiveSSL certificates through namecheap.com a great website where I also purchase my domains. I recently discovered the 100% free StartSSL service and wanted to test it out. My biggest complaint is their website kind of blows, it’s confusing and slow and I had to wait because they were “over capacity” before I could sign up. But that aside, after it’s all over with, it works just fine and was pretty simple. The first step would be to go sign up and get the ball rolling. Head on over to their website and you’ll need to do a few steps (clicking a few buttons) to generate a cert for logging into the website. They will ask you to backup that cert etc so you don’t lose access to your account. When that is all said and done lets get started generating our domain certificates on our web server.
We need to do a few things to create a certificate signing request file that we will use on the StartSSL website to generate our certificate.
openssl genrsa -des3 -out example.com_secure.key 4096
You will be prompted for a password when creating this. Supply a password but don’t worry we will be removing this later in this guide before we enable it on the domain.
openssl req -new -key example.com_secure.key -out example.com.csr
OpenSSL will ask you for various information regarding country code, company name etc. Fill it out to the best of your ability. This is all we need to do at this point. We need to shift back over to the StartSSL website now. Hopefully your account has been validated and you are able to use it by now. If not, resume this guide when you have access to the website.
When you have access to the StartSSL website, head to your control panel and hit up the Validations Wizard. Choose “Domain Name Validation” from the dropdown and proceed through the steps to add your domain name.
After you have validated your domain you should proceed to the “Certificates Wizard” and choose “Web Server SSL/TLS Certificate” from the dropdown and continue through the steps to create your certificate. You’ll be asked to supply the CSR from earlier. Simply paste the contents of the file we created on the server and submit it. You’ll be required to supply one subdomain to create your certificate. This is your choice but if you plan on using “www.” on your domain at all you should choose this as your subdomain. At the end you will have to wait for a few hours for an email to arrive saying that your certificate has been approve with a link to obtain it.
You will be presented with another textbox that has the certificate in it. Copy the contents and then create a new file on the server and name it .pem
Paste the contents in and save the file.
Now you need to download two more files from StartSSL
Now we need to get rid of the password on your key file.
sudo chmod 777 ~/ssl
openssl rsa -in example.com_secure.key -out example.com.key
Now we have to concatenate all the certs together for use with nginx
cat example.com.pem sub.class1.server.ca.pem ca.pem > example.com_chain.pem
The unencrypted key should only be readable by the owner of the nginx master process, which should be root.
chmod 400 example.com.key
sudo chown root:root example.com.key
I typically move the files into the nginx folder now to keep them there.
sudo mkdir /etc/nginx/ssl
sudo mv ~/ssl/* /etc/nginx/ssl/
You need to modify your domain’s virtual host file to change the port and add the certificate information. the top lines inside the main “server” block for that domain should read like this.
listen 443 ssl;
If you run a HTTPS-only site, you should consider using HTTP Strict Transport Security (HSTS). HSTS tells a browser that the website should only be accessed through a secure connection. Just add this below the certificate lines.
add_header Strict-Transport-Security max-age=31536000;
If you serve a page over HTTPS, usually you will never allow your content to be framed. This can be specified by the X-Frame-Options header. You can configure this by then adding this line below the previous ones.
add_header X-Frame-Options DENY;
After you have saved the virtual host file (/etc/nginx/sites-available/domain) you need to restart nginx for the changes to take affect.
sudo service nginx restart
That should be it!