Certificate Installation Generate Key Nginx Digitalocean

by
  1. Certificate Installation Generate Key Nginx Digitalocean Server
  2. Generate Key Code
  3. Certificate Installation Generate Key Nginx Digitalocean Download

Is article me aapko DigitalOcean server (Ubuntu nginx server) par godaddy ssl certificate install karne ke bare me step by step with example hindi jankari milegi. How to Install Godaddy SSL with Nginx on Ubuntu 18.04 version - Digital Ocean Server in Hindi. I have a flask app running on port 8000 of my droplet on digital ocean. Is article me aapko DigitalOcean server (Ubuntu nginx server) par godaddy ssl certificate install karne ke bare me step by step with example hindi jankari milegi. How to Install Godaddy SSL with Nginx on Ubuntu 18.04 version - Digital Ocean Server in Hindi. Jun 23, 2015 How To Create an ECC Certificate on Nginx for Debian 7. Create an Elliptic Curve Cryptography (ECC) key pair for more efficient certificate encryption. ECC keys provide security equivalent to that of larger RSA keys while being smaller in size, reducing the resources needed on the server and offering faster performance for mobile devices.

Related

How To Create a Self-Signed SSL Certificate for Nginx on Debian 8 Tutorial
How To Create an ECC Certificate on Nginx for Debian 7 Tutorial

Introduction

This article explains how to create an Elliptic Curve Cryptography (ECC) SSL certificate for Nginx. By the end of this tutorial, you will have a faster encryption mechanism for production use.

Traditional public-key cryptography relies on the near-impossibility of factoring large integers. On the other hand, ECC relies on the impossibility of resolving random elliptic curves into discrete logarithmic functions, a problem that’s called the “elliptic curve discrete logarithm problem” or ECDLP. In short, ECC offers smaller keys with similar security, and this in turn translates into higher encryption performance, applicable to digital signatures like SSL.

This tutorial, and all ECC certificates, depends on an elliptic-curve protocol which can come in several flavors. The National Institute of Standards and Technology (NIST) Suite B specifies two potential elliptical curves for use, P-256 and P-384, otherwise known as prime256v1 and secp384r1. For simplicity, we will use the former, prime256v1, as it is simple but practical.

Prerequisites

To follow this tutorial, you will need:

  • One fresh Debian 8.1 Droplet
  • A sudo non-root user, which you can setup by following steps 2 and 3 of this tutorial
  • OpenSSL installed and updated

To test, you will need one of two systems, with OpenSSL installed and updated:

  • Another Linux Droplet
  • Linux-based local system (Mac, Ubuntu, Debian, etc.)

Step 1 — Install Nginx

In this step, we will use a built-in package installer called apt-get. It simplifies management drastically and facilitates a clean installation.

In the link specified in the prerequisites, you should have updated apt-get and installed the sudo package, as unlike other Linux distributions, Debian 8 does not come with sudo installed.

Nginx is the aforementioned HTTP server, focused on handling large loads with low memory usage. To install it, run the following:

For information on the differences between Nginx and Apache2, the two most popular open source web servers, see this article.

Step 2 — Create Directory

This section is simply and short. We need to store the private key and certificate in a memorable location, so we need to create a new directory.

Step 3 — Create a Self Signed ECC Certificate

In this section, we will request a new certificate and sign it.

First, generate an ECC private key using OpenSSL’s ecparam tool.

  • The out flag directs output to a file. For this tutorial, we will save the key in /etc/nginx/ssl/nginx.key.
  • The name flag identifies the elliptic curve prime256v1.

Then, generate a certificate signing request.

Certificate Installation Generate Key Nginx Digitalocean
  • The key flag specifies the path to our key, generated in the previous command.
  • The out flag specifies the path to our generated certificate.

Invoking this command will result in a series of prompts.

  • Common Name: Specify your server’s IP address or hostname.
  • Challenge Password: Do not supply one.
  • Fill out all other fields at your own discretion. Hit ENTER to accept the defaults.

Finally, self-sign the certificate. The certificate is then used by the client to encrypt data only the server can read.

  • x509 is the OpenSSL tool used to generate the certificate.
  • The days flag specifies how long the certificate should remain valid. With this example, the certificate will last for one year.
  • in specifies our previously-generated certificate request.

Set the file permissions to protect your private key and certificate. For more information on the three-digit permissions code, see the tutorial on Linux permissions.

Your certificate and the private key that protects it are now ready for setup.

Step 4 — Setup the Certificate

In this section, we will configure Nginx virtual hosts with the key and certificate. In effect, our server will begin serving HTTPS instead of HTTP requests.

Open the server configuration file using nano or your favorite text editor.

At the top of the configuration file, you will find a block of code, akin to the following:

The next few edits will be made inside the server block.

  1. First, comment out the first two lines of the server block, by preceding the line with a pound sign:
etc/nginx/sites-enabled/default
  1. Then, uncomment the first listen line underneath SSL Configuration by removing the pound sign. Indent properly, and also remove ssl default_server.

  1. Update the root directory, directly underneath the commented block. the original reads server_name _;. Change it to include your server ip, so that it reads server_name your_server_ip.

  2. After server_name, add your SSL key and certificate paths.

/etc/nginx/sites-enabled/default
  1. Finally, add SSL settings.

Your final result should be identical to the following.

/etc/nginx/sites-enabled/default

Once these changes have been made, save and exit out of the file.

Restart Nginx to apply the changes.

Step 5 — Test Nginx with ECC

In this section, we will test the server, through the command line. Once again, this may be done on either (1) your local Linux-based system or (2) another Droplet. You may also run this command from the same shell window, but you may want a more solid proof of success.

Open connection via the HTTPS 443 port.

openssl s_client -connect your_server_ip:443

Scroll to the middle of the output after the key output, and you should find the following:

Of course, the numbers are variable, but this is success. Congratulations!

Press CTRL+C to exit.

You can also visit your site in a web browser, using HTTPS in the URL (https://example.com). Your browser will warn you that the certificate is self-signed. You should be able to view the certificate and confirm that the details match what you entered in Step 4.

Conclusion

This concludes our tutorial, leaving you with a working Nginx server, configured securely with an ECC certificate. For more information on working with OpenSSL, see the OpenSSL Essentials article.

Create a CSR using OpenSSL & install your SSL certificate on your Nginx server

Use the instructions on this page to use OpenSSL to create your certificate signing request (CSR) and then to install your SSL certificate on your Nginx server.

Restart Note: After you've installed your SSL/TLS certificate and configured the server to use it, you must restart your Nginx instance.

Certificate Installation Generate Key Nginx Digitalocean Server

  1. To create your certificate signing request (CSR), see Nginx: Creating Your CSR with OpenSSL.

  2. To install your SSL certificate, see Nginx: Installing & Configuring Your SSL Certificate.

Generate Key Code

I. Nginx: Creating Your CSR with OpenSSL

Use the instructions in this section to create your own shell commands for generating your Nginx CSR using OpenSSL.

Recommended: Save yourself some time. Use the DigiCert OpenSSL CSR Wizard to generate an OpenSSL command for creating your Nginx CSR. Just fill out the form, click Generate, and then paste your customized OpenSSL command into your terminal.

Certificate Installation Generate Key Nginx Digitalocean Download

How to Generate a CSR for Nginx Using OpenSSL

If you prefer to build your own shell commands to generate your Nginx CSR, follow the instructions below.

  1. Log in to your server via your terminal client (ssh).

  2. Run Command

    Generate a public private key pair calculator. At the prompt, type the following command:

    Note: Make sure to replace server with the name of your server.

    openssl req –new –newkey rsa:2048 –nodes –keyout server.key –out server.csr

  3. Generate Files

    1. You've now started the process for generating the following two files:

      • Private-Key File: Used to generate the CSR and later to secure and verify connections using the certificate.
      • Certificate Signing Request (CSR) file: Used to order your SSL certificate and later to encrypt messages that only its corresponding private key can decrypt.

    2. When prompted for the Common Name (domain name), type the fully qualified domain (FQDN) for the site that you are going to secure.

      Note: If you're generating a Nginx CSR for a Wildcard certificate, make sure your common name starts with an asterisk (e.g., *.example.com).

    3. When prompted, type your organizational information, beginning with your geographic information.

      Note: You may have already set up default information.

    4. Now, your .csr file will be created.

  4. Order Your SSL/TLS Certificate

    1. Open the .csr file that you created with a text editor.

    2. Copy the text, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags, and paste it in to the DigiCert order form.

  5. Save Private Key

    Save (back up) the generated .key file. You'll need it later when installing your SSL certificate.

  6. Install Certificate

    After you've received your SSL certificate from DigiCert, you can install it on your server.

II. Nginx: Installing & Configuring Your SSL Certificate

If you still need to create a certificate signing request (CSR) and order your certificate, see Nginx: Creating Your CSR with OpenSSL.

After we've validated and issued your SSL certificate, you can install it on the Nginx server where the CSR was generated and configure the server to use it.

How to Install and Configure Your SSL Certificate

  1. Primary and intermediate certificates

  2. Note: Make them readable by root only to increase security.

  3. Concatenate the primary and intermediate certificates

    1. You need to concatenate your primary certificate file (your_domain_name.crt) and the intermediate certificate file (DigiCertCA.crt) into a single .pem file.

    2. To concatenate the files, run the following command:

      cat your_domain_name.crt DigiCertCA.crt >> bundle.crt

  4. Edit the Nginx virtual hosts file

    1. Open your Nginx virtual host file for the website you're securing.

    2. Make a copy of the existing non-secure server module and paste it below the original.

      Note: If you need your site to be accessible through both secure (https) and non-secure (http) connections, you'll need a server module for each type of connection.

    3. Next, add the lines in bold below:

      server {
      listen 443;
      ssl on;
      ssl_certificate /etc/ssl/your_domain_name.pem;       (or bundle.crt)
      ssl_certificate_key /etc/ssl/your_domain_name.key;
      server_name your.domain.com;
      access_log /var/log/nginx/nginx.vhost.access.log;
      error_log /var/log/nginx/nginx.vhost.error.log;
      location / {
      root /home/www/public_html/your.domain.com/public/;
      index index.html;
      }
      }

    4. Adjust the file names to match your certificate files:

      • ssl_certificate should be your primary certificate combined with the intermediate certificate that you made in the previous step (e.g., your_domain_name.crt).

      • ssl_certificate_key should be the .key file generated when you created the CSR.

  5. Restart Nginx.

    Run the following command to restart Nginx:

  6. Congratulations! You've successfully installed your SSL certificate.

    7. Troubleshooting:

    1. Use the DigiCert® SSL Installation Diagnostics Tool

      If your website is publicly accessible, our SSL Certificate Checker can help you diagnose common problems.

    2. Use a browser and visit your site

      Open a web browser and visit your site using https. We recommend testing your site with Firefox; this browser will give you a warning if your intermediate certificate is not installed. You shouldn't receive any browser warnings or errors.

      1. If you immediately receive a browser message about the site not being available, then Nginx may not yet be listening on port 443.

      2. If your web request takes a very long time and times out, a firewall may be blocking traffic on TCP port 443 to the web server.

      3. If you receive a 'not trusted' warning, view the certificate to see if it is the certificate you expect.

        • When you view the certificate, check the Subject, Issuer, and Valid To fields

        • If you had to concatenate the certificate files, your primary certificate (e.g., your_domain_name.crt) may not be correctly combined with the intermediate certificate.

    3. For more information, see the Nginx SSL documentation.

    Nginx Server Configuration

    For information about Nginx server configurations that can strengthen your SSL environment: