Pre requirement: Before we can install the SSL/TLS Certificate on Nginx make sure to have the Certificate acquired from the CA Authority.
OS Version: CentOs 8.2 x64
OpenSSL Version: OpenSSL 1.1.1c FIPS 28 May 2019
Before we proceed let’s conclude the list of files we need to have:
- Certificate file (ex: domain.com.crt)
- Key file (ex: domain.com.key)
- CA Bundle (ex: domain.com.ca_bundle)
Now let’s open the configuration file /etc/nginx/nginx.conf
and find the TLS section in it:
# Settings for a TLS enabled server.
#
# server {
# listen 443 ssl http2 default_server;
# listen [::]:443 ssl http2 default_server;
# server_name _;
# root /usr/share/nginx/html;
#
# ssl_certificate "/etc/pki/nginx/server.crt";
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 10m;
# ssl_ciphers PROFILE=SYSTEM;
# ssl_prefer_server_ciphers on;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# location / {
# }
#
# error_page 404 /404.html;
# location = /40x.html {
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }
As you can see, the TLS section is commented out since this particular server has no certificates installed. Before we enable it let’s put the certificate files to the proper location. Note that files can be placed anywhere but, for the sake of good organization, let’s use the location nginx expects to find these files at:
# ssl_certificate "/etc/pki/nginx/server.crt";
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
NOTE: You can see that Nginx expects only two files in the configuration instead of three. So what do we do with the third? With the CA Bundle file. We will merge it into the Certificate file (domain.com.crt
).
Installation of the SSL/TLS Certificate on Nginx!
- Merge the CA Bundle content into the Certificate file:
[root@bluegrid-edu ~]# cat domain.com.ca_bundle.crt >> domain.com.crt
- Check if
/etc/pki/nginx/
and/etc/pki/nginx/private/
directories exist:
[root@bluegrid-edu ~]# ls -l /etc/pki/nginx/ /etc/pki/nginx/private/
ls: cannot access '/etc/pki/nginx/': No such file or directory
ls: cannot access '/etc/pki/nginx/private/': No such file or directory
- In our case, these directories don’t exist and need to be created:
[root@bluegrid-edu ~]# mkdir /etc/pki/nginx/ /etc/pki/nginx/private/
- Make sure they are there:
[root@bluegrid-edu ~]# ls -l /etc/pki/nginx/ /etc/pki/nginx/private/
/etc/pki/nginx/:
total 0
drwxr-xr-x. 2 root root 6 Jul 31 15:31 private
/etc/pki/nginx/private/:
total 0
- Move Certificate files to appropriate locations:
[root@bluegrid-edu ~]# mv domain.com.crt /etc/pki/nginx/
[root@bluegrid-edu ~]# mv domain.com.key /etc/pki/nginx/private/
- Now, we can uncomment TLS configuration and call
domain.com.crt
anddomain.com.key
files from within the configuration block:
# Settings for a TLS enabled server.
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name _;
root /usr/share/nginx/html;
ssl_certificate "/etc/pki/nginx/bluegrid.crt";
ssl_certificate_key "/etc/pki/nginx/private/bluegrid.io.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers PROFILE=SYSTEM;
ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
Restart nginx service:
[root@bluegrid-edu ~]# systemctl restart nginx
Test the HTTPS connection:
[root@bluegrid-edu ~]# curl -I https://domain.com
HTTP/2 200
server: nginx/1.14.1
date: Fri, 31 Jul 2020 16:08:29 GMT
content-type: text/html
content-length: 4057
last-modified: Mon, 07 Oct 2019 21:16:24 GMT
etag: "5d9bab28-fd9"
accept-ranges: bytes
And that is it!
Related article: How to Generate the CSR for SSL Certificate