Securing Nginx with HTTPS

SSLAdding a certificate and using the HTTPS protocol is a good improvement to the security in the communication between the browser and the server, and should be in place on all sites that have a user login. Contrary to what many (older) guides say, it doesn’t add much load on your server and is fairy easy and cheap to set up right.

First of all, make sure Nginx is installed and running. I highly recommend running the latest version from Nginx’ own Ubuntu repository.

Generate key and CSR

Generate the server’s private key:

The number (2048) is the key length. Anything shorter is considered to be unsafe soon and should be avoided for new keys. Anything longer is unnecessary and will only waste CPU.

Generate the Certificate Signing Request (CSR):

Fill in the requested fields, but please note the following:

  • Enter your FQDN for “Common Name (e.g. server FQDN or YOUR name)” In this case it’s “www.example.com”
  • Press [ENTER] (blank) for “A challenge password”

Most Certificate Authorities will issue a certificate that is valid for both www.example.com and example.com if you provide www.example.com as FQDN. The opposite is NOT the case.

Make sure the files are readable by root only:

Acquire the certificate from a CA

Go to the web site of a Certificate Authority or affiliate. For securing regular web sites, I usually get a domain validated Comodo PositiveSSL certificate from SSLs.com. They’re really cheap and more than good enough for most cases.

When you get the certificate from the CA – usually within an hour – place it in /etc/ssl/certs/example.com.crt

Intermediate Certificate Advisory

The certificate issuer will most likely provide you with a Intermediate Certificate Advisory or two. You MUST install the intermediate certificates on the server together with the certificate.

Save the intermediate certificate to /etc/ssl/certs/

In my case the two provided intermediate certs will be these two files:

Concatenate the certificates to one file (order is important):

Configure Nginx

Copy your existing server block and add the 4 SSL specific lines so the start of your new server block looks like this:

Now reload your config and you should be done:

You are now done with the basic configuration of HTTPS on Nginx. Next steps is first to enable SPDY enable HTTP/2 and then you should dive into the optimizing HTTPS on Nginx.

There are 5 comments

I love comments that bring new insights, shares ideas and experiences, and most of all: corrects my mistakes. For support questions, there are other fora, like Stack Overflow, Server Fault and the WordPress support forum.

Your email address will not be published. Required fields are marked *