Thomas Bandt

How to run a website on nginx with a SSL certificate from PositiveSSL

Offering a secure connection has become a good practice in previous years. It has also been a ranking signal for Google lately. Here is a short guide on how to install a cheap but trustworthy certificate on nginx.

Published on Monday, 12 January 2015

Create an SSL directory

First of all, create a directory where all the requests and certificates belong to:

sudo mkdir /etc/nginx/ssl && cd /etc/nginx/ssl

Create a Server Key

The next step is to create a key for the certificate you're installing later on:

sudo openssl genrsa -des3 -out {domainname}.key 2048

Replace {domainname} with the real domain name of your website and remember the password you have to provide here.

Create a Certificate Signing Request

sudo openssl req -new -key {domainname}.key -out {domainname}.csr

Important: The requested common name should be the domain name you want to secure (at least in most cases).

Remove the Password from the Server Key

If your key file is password protected, that password must be provided each time the key file is used (on each (re-)start of nginx, for example). So it's probably a good compromise to remove it.

sudo cp {domainname}.key {domainname}
sudo openssl rsa -in {domainname} -out {domainname}.key

Order your Certificate

Now go and order your certificate. I have made good experiences with the cheap PositiveSSL certificates; they are currently as cheap as 7,55 EUR/year at and maybe even less expensive elsewhere.

Install the Positive SSL Certificate for nginx

Copy the files you got to /etc/nginx/ssl

The zip archive you received via email should contain the following files.

  • AddTrustExternalCARoot.crt
  • COMODORSAAddTrustCA.crt
  • COMODORSADomainValidationSecureServerCA.crt
  • {domainname}.crt

Copy them all to the SSL directory.

Chain the Certificates

Your {domainname}.crt will work out of the box for most browsers. However, some will reject the certificate, which results in an unusable site for your users. That occurs especially on current Android devices (tested with Android 5.0).

The reason for that is, frankly speaking, that these browsers don't know the source of the certificate. That can easily be changed by providing the information. To do so, chain the certificates you just copied to /etc/nginx/ssl.

sudo bash -c 'cat {domainname}.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt AddTrustExternalCARoot.crt > {domainname}-chained.crt'

Configure your nginx server

Now add or edit your server's configuration and provide the following:

server {
    listen 443;
    server_name {yourdomain};

    location / {
                    # Configuration as usual

    ssl on;
    ssl_certificate /etc/nginx/ssl/{domainname}-chained.crt;
    ssl_certificate_key /etc/nginx/ssl/{domainname}.key;

    ssl_session_timeout 5m;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
    ssl_prefer_server_ciphers on;

That's it

Now you should be able to connect through HTTPS to your website - congratulations!

PS: If you want to make sure everything is configured correctly from a security standpoint, check out the Qualsys SSL Server Test.


Thilo pointed out that there is even a serious offer of free certificates provided by StartSSL. I will give it a try in the future.

What do you think? Drop me a line and let me know!