Offering a secure connection has become a good practice in previous years. It has also been a ranking signal for Google lately. Here is a short guide on how to install a cheap but trustworthy certificate on nginx.
Published on Mon, January 12, 2015
First of all, create a directory where all the requests and certificates belong to:
sudo mkdir /etc/nginx/ssl && cd /etc/nginx/ssl
The next step is to create a key for the certificate you're installing later on:
sudo openssl genrsa -des3 -out {domainname}.key 2048
Replace {domainname} with the real domain name of your website and remember the password you have to provide here.
sudo openssl req -new -key {domainname}.key -out {domainname}.csr
Important: The requested common name should be the domain name you want to secure (at least in most cases).
If your key file is password protected, that password must be provided each time the key file is used (on each (re-)start of nginx, for example). So it's probably a good compromise to remove it.
sudo cp {domainname}.key {domainname}.key.org
sudo openssl rsa -in {domainname}.key.org -out {domainname}.key
Now go and order your certificate. I have made good experiences with the cheap PositiveSSL certificates; they are currently as cheap as 7,55 EUR/year at namecheap.com and maybe even less expensive elsewhere.
The zip archive you received via email should contain the following files.
Copy them all to the SSL directory.
Your {domainname}.crt will work out of the box for most browsers. However, some will reject the certificate, which results in an unusable site for your users. That occurs especially on current Android devices (tested with Android 5.0).
The reason for that is, frankly speaking, that these browsers don't know the source of the certificate. That can easily be changed by providing the information. To do so, chain the certificates you just copied to /etc/nginx/ssl.
sudo bash -c 'cat {domainname}.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt AddTrustExternalCARoot.crt > {domainname}-chained.crt'
Now add or edit your server's configuration and provide the following:
server {
listen 443;
server_name {yourdomain};
location / {
# Configuration as usual
}
ssl on;
ssl_certificate /etc/nginx/ssl/{domainname}-chained.crt;
ssl_certificate_key /etc/nginx/ssl/{domainname}.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
}
Now you should be able to connect through HTTPS to your website - congratulations!
PS: If you want to make sure everything is configured correctly from a security standpoint, check out the Qualsys SSL Server Test.
Thilo pointed out that there is even a serious offer of free certificates provided by StartSSL. I will give it a try in the future.