How to generate a CSR code on Nginx using OpenSSL

How to generate a CSR code on Nginx using OpenSSL

A Certificate Signing Request (CSR code) is a block of encoded text that contains the information about the organization that applies for an SSL certificate, and the domain that needs to be secured. A CSR is what you give to the Certificate Authority such as GeoTrust or COMODO, to generate your SSL certificate. It is an essential part of obtaining an SSL certificate.

To generate the CSR code on Nginx server you can use openssl command line utility.

Open up a command line interface and use the following command:

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

You will be asked to enter the following information that will be incorporated into your certificate request. Please use only alphanumeric characters when filling in the details.

Required Attributes

Country Name: enter two-letter code of your country.

State or Province Name: enter the complete name of your state, province or region.

Locality Name: enter the complete name of your city or locality.

Organization Name: provide the officially registered name for your business. For Organization and Extended Validation certificates, Certificate Authorities will be verifying the submitted organization. For Domain Validated SSLs this field content will not be listed in the issued certificate (you can use ‘NA’ here for a Domain Validation certificate, if you do not have an organization registered).

Organization Unit Name: provide the name of a division or department within the organization entered above. You can use ‘NA’ for Domain Validation Certificates.

Common Name: enter the fully qualified domain name (ex.: domain.com or sub.domain.com), you would like to secure with an SSL certificate. If the certificate you are activating is a Wildcard SSL, please use the following format for the common name: *.example.com.

Email Address: Enter your e-mail address. The e-mail used for the CSR generation will not be used for the domain control validation or for the reception of an issued certificate.

Extra Attributes

You will be also prompted to enter some extra attributes. They are optional and you can input a dot ‘.’ to leave the fields blank or just press continue (enter).

A Challenge Password: You can leave this field blank.

An Optional Company Name: This option can be also left blank.

As a result, two files will be created: server.key with the private key (it will be needed further for the certificate installation) and server.csr that will have the CSR code you need to submit for the certificate activation.

You need to open the server.csr file with the text editor you prefer, copy its content along with the header -----BEGIN CERTIFICATE REQUEST-----and footer -----END CERTIFICATE REQUEST----- and use it to activate the certificate.

Creating an SSL bundle

After you receive the certificate you need to create a SSL bundle which you can use with Nginx.

Usually you will have 4 files:

  • certificate.crt
  • COMODORSADomainValidationSecureServerCA.crt
  • COMODORSAAddTrustCA.crt
  • AddTrustExternalCARoot.crt

Procedure

  1. Open files in a text editor
  2. Create a new blank text file
  3. Copy contents of all files in order specified above and paste them into the new file
  4. Save newly created file as ssl-bundle.crt

Copy that file to the server and use it in your nginx site block like this:

ssl on;
ssl_certificate /www/project/ssl/ssl-bundle.crt;
ssl_certificate_key /www/project/ssl/server.key;

#enables all versions of TLS, but not SSLv2 or 3 which are weak and now deprecated.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

#Disables all weak ciphers
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

ssl_prefer_server_ciphers on;

Save you changes and restart Nginx for the changes to take effect:

sudo service nginx restart

Validating SSL ceritificate installation

Go to your domain using https:// if everything works you should see you site. Be sure to check that everything works by using this tool DigiCert® SSL Installation Diagnostics Tool.

Enter your server address and click on Check Server. You should get all green.

Sources

While writing this post I have used this sources:

What is a Certificate Signing Request?

How to generate a CSR code on Apache/Nginx using OpenSSL

How do I make my own bundle file from CRT files?

Mario Bašić

About Mario Bašić

Sometimes backward to move forward. Always.