Create a CSR using OpenSSL & install SSL certificate on your Nginx server

  • avatar
  • 819 Views
  • 5 mins read

Generally, OpenSSL is used for CSR generation on Linux-based web servers (Apache or Nginx) So, if the default web server is installed, there should be no issues with using OpenSSL as it is installed by default on these web servers.

The RSA key algorithm is the algorithm most widely used in digital security. It's an asymmetric cryptography algorithm. This basically means that there are two keys involved while communicating, i.e., the Public key and Private key.

Generate a CSR using OpenSSL

Log in to your server via your terminal client (ssh) and run the following command:

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

Note: to avoid confusion, we recommend replacing server.key and server.csr with the real domain name the certificate will be issued for, e.g., hibit.key and hibit.csr.

When you run the command, you will be prompted to enter the values in the terminal:

  • Common Name: the domain name the Certificate will be issued for (e.g. domain.com).

    Note: Wildcard certificates should be represented with an asterisk in front (e.g. *.domain.com).

  • Country (C): the two-letter code of the country where the company or applicant is located (e.g. ES for Spain or US for the United States).

  • State (S): the state, county or region the company or applicant is located in (e.g. California).

  • Locality (L): the city where the company or applicant is located (e.g. New York). This parameter should not be abbreviated.

  • Organization (O): the officially registered name of the organization that is applying for a certificate. For Organization and Extended Validation certificates, Certificate Authorities will be verifying the submitted organization. For Domain Validation SSLs, this field is not critical and the details will not be listed on the issued certificate; however, it should at least be filled in with NA.

  • Organization Unit (OU): the name of the department or division within the submitted organization (e.g. SSL Support). For Domain Validation SSLs, this field is not critical, feel free to put NA.

  • Email Address: a valid email address of the company or the applicant. This field is optional.

    Note: this email address won’t be used during the verification process, unless a mistake is found with any of the submitted details. However, this email will be considered an admin contact, unless you change it during the activation process. The SSL will be issued to the admin contact email address once it is activated.

  • Challenge Password and Optional Company Name: please do not use challenge password and leave Optional Company Name field empty too. These values are now obsolete and may cause issues with getting the SSL certificate.

Once you’ve generated your CSR you can use it to order/activate your SSL certificate. To do this, open the file with .csr extension that you created with a text editor and copy the text, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags.

Install your SSL certificate

After SSL certificate is validated and issued, you can install it on the Nginx server where the CSR was generated and configure the server to use it.

  1. You should've received a your_domain_name.pem file in an email when your certificate was issued. This .pem file contains both your primary certificate and the intermediate certificate. If you have that .pem file, you can skip to step 4.

  2. Download the intermediate (intermediate.crt) and your primary certificate (your_domain_name.crt) files. Copy these files, along with the .key file you generated when creating the CSR.

  3. You need to concatenate your primary certificate file (your_domain_name.crt) and the intermediate certificate file (intermediate.crt) into a single .pem file:

    cat your_domain_name.crt intermediate.crt >> your_domain_name.bundle.crt

    Usually, an additional file with several other certificate codes (intermediate and root certificates of the SSL chain of trust) is provided along with your SSL certificate. Make sure the final concatenation of all certificates (your_domain_name.bundle.crt) is done correctly respecting the line breaks and begin/end tags

  4. Open your Nginx virtual host file for the website you're securing and add the lines below:

    server {
    #...

    # SSL configuration
    listen 443;
    listen [::]:443 ssl;

    ssl_certificate /etc/ssl/your_domain_name.pem; (or your_domain_name.bundle.crt)
    ssl_certificate_key /etc/ssl/your_domain_name.key;

    #...
    }

    ssl_certificate should be your primary certificate combined with the intermediate certificate that you made in the previous step.
    ssl_certificate_key should be the .key file generated when you created the CSR.

  5. Restart Nginx:

    sudo /etc/init.d/nginx restart

Congratulations! You've successfully installed your SSL certificate.

 Join Our Monthly Newsletter

Get the latest news and popular articles to your inbox every month

0 Comments

Leave a Reply

Your email address will not be published.