A Certificate Signing Request (CSR code) is a block of encoded text that contains the information about the organization that applies for an SSL certificate, and the domain that needs to be secured. A CSR is what you give to the Certificate Authority such as GeoTrust or COMODO, to generate your SSL certificate. It is an essential part of obtaining an SSL certificate.
To generate the CSR code on Nginx server you can use openssl command line utility.
Open up a command line interface and use the following command:
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
You will be asked to enter the following information that will be incorporated into your certificate request. Please use only alphanumeric characters when filling in the details.
Country Name: enter two-letter code of your country.
State or Province Name: enter the complete name of your state, province or region.
Locality Name: enter the complete name of your city or locality.
Organization Name: provide the officially registered name for your business. For Organization and Extended Validation certificates, Certificate Authorities will be verifying the submitted organization. For Domain Validated SSLs this field content will not be listed in the issued certificate (you can use ‘NA’ here for a Domain Validation certificate, if you do not have an organization registered).
Organization Unit Name: provide the name of a division or department within the organization entered above. You can use ‘NA’ for Domain Validation Certificates.
Common Name: enter the fully qualified domain name (ex.: domain.com or sub.domain.com), you would like to secure with an SSL certificate. If the certificate you are activating is a Wildcard SSL, please use the following format for the common name: *.example.com.
Email Address: Enter your e-mail address. The e-mail used for the CSR generation will not be used for the domain control validation or for the reception of an issued certificate.
You will be also prompted to enter some extra attributes. They are optional and you can input a dot ‘.’ to leave the fields blank or just press
A Challenge Password: You can leave this field blank.
An Optional Company Name: This option can be also left blank.
As a result, two files will be created:
server.key with the private key (it will be needed further for the certificate installation) and
server.csr that will have the CSR code you need to submit for the certificate activation.
You need to open the
server.csr file with the text editor you prefer, copy its content along with the header
-----BEGIN CERTIFICATE REQUEST-----and footer
-----END CERTIFICATE REQUEST----- and use it to activate the certificate.
Creating an SSL bundle
After you receive the certificate you need to create a SSL bundle which you can use with Nginx.
Usually you will have 4 files:
- Open files in a text editor
- Create a new blank text file
- Copy contents of all files in order specified above and paste them into the new file
- Save newly created file as
Copy that file to the server and use it in your nginx site block like this:
ssl on; ssl_certificate /www/project/ssl/ssl-bundle.crt; ssl_certificate_key /www/project/ssl/server.key; #enables all versions of TLS, but not SSLv2 or 3 which are weak and now deprecated. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #Disables all weak ciphers ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; ssl_prefer_server_ciphers on;
Save you changes and restart Nginx for the changes to take effect:
sudo service nginx restart
Validating SSL ceritificate installation
Go to your domain using
https:// if everything works you should see you site. Be sure to check that everything works by using this tool DigiCert® SSL Installation Diagnostics Tool.
Enter your server address and click on
Check Server. You should get all green.
While writing this post I have used this sources: