Using Namecheap’s Free SSL with Nginx

First thing we need to do is create a private key for your site, this key will be used both in Nginx and in creating the certificate signing request. To make things easier create a folder called certs in your Nginx configuration folder (ie: /opt/local/nginx/conf).

server {
   	listen 80;
	server_name subdomain-if-used.your-domain.com;
 
	# ... rest of your stuff here
}
server {
	# to ensure you do not cause issues with certificates, 
	# explicitly bind the domain to its intended IP.
   	listen 1.1.1.1:443;
	server_name subdomain-if-used.your-domain.com;
 
	# the next three lines enables the SSL Certificate to be served
	ssl on;
	ssl_certificate certs/domain.pem;
	ssl_certificate_key certs/domain.key;	
 
	# ... rest of your stuff here
}

You will be prompted to enter a passphrase (make sure you remember this). Once the key has been generated you’ll need to make a certificate signing request.

server { 
   listen 1.1.1.1:80; 
   server_name billing.domain.com; 
   rewrite ^(.*) https://$server_name$1 permanent; 
}
server {
   	listen 1.1.1.1:443;
	server_name billing.domain.com;
 
	ssl on;
	ssl_certificate certs/domain.pem;
	ssl_certificate_key certs/domain.key;	
 
	# ... rest of your stuff here
}

Above will prompt you for the passphrase you entered above. Then it’ll prompt you for your country code, state, city, business/company name, unit name (can be blank), common name, email address and some extra information.

When it comes to the common name, it is very important to understand that the free PositiveSSL is not the more expensive wildcard certificate. Meaning if you are assigning a certificate to subdomain.domain.com , the certificate will only be good for that specific domain, likewise a certificate made for www.domain.com won’t be good for any other subdomain.

You’ll also want to make sure to use a valid email address, as the certificate providers may send your final certificate to that address.

Now that you have created a CSR file, you’ll want to grab the content of the file for your SSL order.

server {
	listen 1.1.1.1:80; 
	listen 1.1.1.1:443 default ssl; 
 
	server_name billing.domain.com;
 
	#ssl on; this can be turned off since the above will automatically enable it
	ssl_certificate certs/domain.pem;
	ssl_certificate_key certs/domain.key;	
 
	# ... rest of your stuff here
}

You’ll want to copy the output for this next step.

If you have not yet ordered a domain or transferred a domain to Namecheap, be sure to watch for the Comodo SSL offer that shows up near the end of checkout. It will look something like this:

SSL Option

Simply click the link to add it to your order. The SSL Certificate is not restricted just to the domain you ordered or transferred (as it also comes with hosting and whois guard) since you assign a domain after the order has been completed.

Now you should be able to click on “SSL Certificates” -> “Your SSL Certificates”, and see a list similar to this.

Your SSL Certs

As you can see I been taking advantage of their special lately (there’s least 3 others not shown above already assigned).

To start assigning a certificate to a domain click on the “Activate Now” link. You’ll then see a form showing the type of certificate, number of years purchased, the server type and a text area. You’ll want to select “Other” for server type as there’s no Nginx option. You would then paste your CSR content into the box provided.

Once you click next it’ll ask you to verify your information and select an email to receive the certificate. When completed it’ll take roughly two hours to receive.

Once received from “NameCheap.com SSLSupport”, you’ll see your certificate in the email starting with —–BEGIN CERTIFICATE——“. What you will want to do is save that content into a file domain.crt and upload it to your /nginx/conf/certs folder.

But we’ve run into a problem… Nginx supports PEM formated certificates and this is not a PEM formated certificate. So we’ll need to use OpenSSL to convert it to the PEM format.

$ cp server.key server.key.org
$ openssl rsa -in server.key.org -out server.key
$ chmod 400 server.key

You should now have a PEM file.

6 comments

  1. luke says:

    Thanks fro the great write up – this really helped. Brilliant work.

    I’m not sure why – but nginx didn’t actually ask me for the passphrase. Do you know whether removing the passphrase a security issue worth worrying about?

  2. kbeezie says:

    If other users besides yourself have access to the file, it can be a huge security risk. If Nginx doesn’t ask and you set a passphrase on the key, double check to see if you’re actually getting a padlock on your site and that it is correct information.

  3. luke says:

    Actually, thinking about this – the prompt might be being suppressed due to the upstart script that I’m using to start nginx. I’ll investigate and post any result here, in case it helps anyone else.

  4. osb says:

    I followed your tutorial but when I restart nginx, it still ask for me PEM password… am I suppose to change server.key to domain.key for this part:

    $ cp server.key server.key.org
    $ openssl rsa -in server.key.org -out server.key
    $ chmod 400 server.key

  5. kbeezie says:

    Basically if your key is called MyKey.key, then you’d change out the file name [server] to whatever it is that you’re using. The purpose of the second command in your paste there is to output a decrypted key which doesn’t require a passcode (thus also why you lock down the file permission as well).

  6. Huan says:

    Hello. Just found this tutorial via Google. Excellent, I have to say! It helped me install my namecheap’s free SSL cert on my nginx box instantly. Thank you.