Most of my domains are registered with Namecheap, and powered by Nginx. The site you are viewing now is one such example. Currently with Namecheap, domain registrations, hosting, transfers and WhoIS protection come with a free PositiveSSL subscription (course even if they eventually stop that special, 9.95/year is still a good price for a PositiveSSL certificate). This section will show you how to generate a certificate request with OpenSSL and how to install the provided certificate into Nginx.
Most hosting providers that allow you to install a SSL certificate will normally be using a Cpanel/WHM setup with the Apache Webserver. In which case SSL installation can be quite and visually straight forward, as its pretty much cut and paste back an forth. While you don’t get this luxery with Nginx, its not that difficult to configure.
What you will need on the server:
A unique IP address. The domain you are getting the certificate for does not have the be the only domain served on the chosen IP address. However Nginx will only serve one certificate per IP. An attempt to install two certificates on the same IP will result in the latter domain serving the previous domain’s certificate.
SSH access. Otherwise known as ‘shell access’, would be required to perform most of the tasks yourself. If you have installed Nginx onto a remote server yourself, then chances are you have shell access. Also if you’re running Nginx you’re not likely using shared hosting, which is normally void of shell access.
OpenSSL In order to actually generate a request and serve the certificate you will need OpenSSL installed. Using a repository such as yum on CentOS you can install this with the package openssl and openssl-devel (depending on the repository the package names could vary).
Nginx webserver configured with SSL. In order for Nginx to serve SSL certificates, Nginx must be built with the option –with-http_ssl_module. To verify you can run nginx -V from the terminal to see all the options your current release was built with. If you installed Nginx from a repository, you may need to see if there exists a SSL variation. KBeezie.com is currently running on Nginx 1.0 and hosted by IonVz.
Assuming you have all the above in place, we can start by creating private key followed by the CSR file otherwise known as a Certificate Signing Request.
Thanks fro the great write up – this really helped. Brilliant work.
I’m not sure why – but nginx didn’t actually ask me for the passphrase. Do you know whether removing the passphrase a security issue worth worrying about?
If other users besides yourself have access to the file, it can be a huge security risk. If Nginx doesn’t ask and you set a passphrase on the key, double check to see if you’re actually getting a padlock on your site and that it is correct information.
Actually, thinking about this – the prompt might be being suppressed due to the upstart script that I’m using to start nginx. I’ll investigate and post any result here, in case it helps anyone else.
I followed your tutorial but when I restart nginx, it still ask for me PEM password… am I suppose to change server.key to domain.key for this part:
$ cp server.key server.key.org
$ openssl rsa -in server.key.org -out server.key
$ chmod 400 server.key
Basically if your key is called MyKey.key, then you’d change out the file name [server] to whatever it is that you’re using. The purpose of the second command in your paste there is to output a decrypted key which doesn’t require a passcode (thus also why you lock down the file permission as well).
Hello. Just found this tutorial via Google. Excellent, I have to say! It helped me install my namecheap’s free SSL cert on my nginx box instantly. Thank you.