Tired of expensive SSL certificates? I was paying a fortune with Tencent Cloud (200 RMB just to start, and 500 RMB to renew!). Luckily, I found a fantastic budget-friendly option with ComodoSSLStore – just $40 for 3 years! This post details how I generated a CSR and installed my new SSL certificate on Nginx. A great record for my own reference, and hopefully helpful for others looking for a more affordable solution!
Overview of a Certificate Signing Request (CSR)
Before you can generate your SSL Certificate, the certificate requester must create a Certificate Signing Request (CSR) for a domain name or hostname on your web server. The CSR is a standardized way to send the issuing Certificate Authority (CA) your public key, which is paired with a secret private key on the server, and provides relevant information about the requester.
For CSR generation instructions for a specific server, please refer to our index of CSR Generation guides in our SSL Support knowledgebase.
Standard CSR Fields
Common Name (CN) This is the Fully Qualified Domain Name (FQDN) of your server (i.e. www.google.com). This must match exactly what you type in your web browser or you may receive a security error.
Organization Name (O) The legal name of your company/organization (i.e. Google, Inc.). Do not abbreviate your company name and it should include the corporate identifier such as Inc., Corp, or LLC (if applicable). If there is no company associated with the request, you can set this field as “None” or “N/A”
Locality (L) The city that you are located in (i.e. Mountain View)
State or Province Name (ST) The state or province in which you are located in (i.e. California). This field may not be abbreviated.
Country (C) The country in which you are located in (i.e. United States or US)
Root Length The bit-length of the key pair determines the strength of the key and how easily it can be cracked using brute force methods. 2048-bit key size is the new industry standard and is used to ensure security well into the foreseeable future.
Signature Algorithm
Hashing algorithm are used by issuing Certificate Authorities to actually sign certificates and CRLs (Certificate Revocation List) to generate unique hash values from files. It is highly recommended that your certificate be signed with SHA-2 as this is the strongest signature algorithm adopted by the industry.Private Key As mentioned above, in addition to creating a CSR, the web server will also export another file called a private key. The private key is a unique cryptographic key related to the corresponding CSR and should never be shared with anyone outside your secured server environment.
The private key is mathematically used to decrypt whatever sensitive data that’s transmitted and encrypted with its corresponding public key and vice versa. If the private key is lost or compromised, malicious users could potentially read your encrypted communications and put your organization’s reputation at risk, which defeats the entire methodology behind the Public Key Infrastructure (PKI).
If the private key is lost or compromised, we highly recommend creating a new key pair and replacing or reissuing your SSL Certificate.
Sample CSR
Most CSRs are created in the Base-64 encoded PEM format and include the “—–BEGIN CERTIFICATE REQUEST—–” and “—–END CERTIFICATE REQUEST—–” lines as the header and footer tags of the CSR. A standard PEM format CSR will look like the following example:
CSR Generation Instructions
The following instructions will guide you through the CSR generation process on Nginx (OpenSSL). To learn more about CSRs and the importance of your private key, reference our Overview of Certificate Signing Request article. If you already generated the CSR and received your trusted SSL certificate, reference our SSL Installation Instructions and disregard the steps below.
- Log in to your server’s terminal via Secure Shell (SSH).
- Generate a private key and CSR by running the following command:
Here is the plain text version to copy and paste into your terminal:openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
Note: Replace “server” with the domain name you intend to secure.
3. Enter the following CSR details when prompted:
Common Name: The FQDN (fully-qualified domain name) you want to secure with the certificate such as www.google.com, secure.website.org, *.domain.net, etc.
Organization: The full legal name of your organization including the corporate identifier.
Organization Unit (OU): Your department such as ‘Information Technology’ or ‘Website Security.’
City or Locality: The locality or city where your organization is legally incorporated. Do not abbreviate.
State or Province: The state or province where your organization is legally incorporated. Do not abbreviate.
Country: The official two-letter country code (i.e. US, CH) where your organization is legally incorporated.
4. Note: You are not required to enter a password or passphrase. This optional field is for applying additional security to your key pair.
5. Locate and open the newly created CSR in a text editor such as Notepad and copy all the text including:
—–BEGIN CERTIFICATE REQUEST—–
And
—–END CERTIFICATE REQUEST—–
Note 1: Your CSR should be saved in the same user directory that you SSH into unless otherwise specified by you.
Note 2: We recommend saving or backing up your newly generate “.key” file as this will be required later during the installation process.
6. Return to the Generation Form on our website and paste the entire CSR into the blank text box and continue with completing the generation process.
Upon generating your CSR, your order will enter the validation process with the issuing Certificate Authority (CA) and require the certificate requester to complete some form of validation depending on the certificate purchased. For information regarding the different levels of the validation process and how to satisfy the industry requirements, reference our validation articles.
After you complete the validation process and receive the trusted SSL Certificate from the issuing Certificate Authority (CA), proceed with the next step using our SSL Installation Instructions for Nginx using OpenSSL.
openssl req -new -newkey rsa:2048 -nodes -keyout finuksakabell.com.key -out finuksakabell.com.csr
www.finuksakabell.com
root@vultr:~/csr_gen# openssl req -new -newkey rsa:2048 -nodes -keyout finuksakabell.com.key -out finuksakabell.com.csr
Can't load /root/.rnd into RNG
139777140421056:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/root/.rnd
Generating a RSA private key
................................................+++++
................................+++++
writing new private key to 'finuksakabell.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Shanghai Ruige Software
Organizational Unit Name (eg, section) []:RGSOFT
Common Name (e.g. server FQDN or YOUR name) []:www.finuksakabell.com
Email Address []:fukangsun@yahoo.com
SSL Installation Instructions
The following instructions will guide you through the SSL installation process on Nginx. If you have more than one server or device, you will need to install the certificate on each server or device you need to secure. If you still have not generated your certificate and completed the validation process, reference our CSR Generation Instructions and disregard the steps below.
- Make sure you have all the following files saved before proceeding:
Your Server Certificate - This is the certificate you received from the CA for your domain. You may have been sent this via email. If not, you can download it by visiting your Account Dashboard and clicking on your order.
Intermediate Certificates - These files allow the devices connecting to your server to identify the issuing CA. There may be more than one of these certificates. If you got your certificate in a ZIP folder, it should also contain the Intermediate certificate(s), which is sometimes referred to as a CA Bundle. If not, download the appropriate CA Bundle for your certificate.
Your Private Key - This file should be on your server, or in your possession if you generated your CSR from a free generator tool. On certain platforms, such as Microsoft IIS, the private key is not immediately visible to you but the server is keeping track of it. - Copy the Certificate Files into the proper directory on your server.
Note: For better security, make them readable by root only. - You need to link the two certificates (or “Concatenate” them) into a single file by entering the command below:
cat your_domain_name.crt Intermediate.crt >> bundle.crt
- Edit your Nginx virtual host file. Copy the existing server module (the non-secure one) and past it below the original, before adding the lines in bold:
server {
listen 443;
ssl on;
ssl_certificate /etc/ssl/your_domain_name.pem; (or bundle.crt)
ssl_certificate_key /etc/ssl/your_domain_name.key;
server_name your.domain.com;
access_log /var/log/nginx/nginx.vhost.access.log;
error_log /var/log/nginx/nginx.vhost.error.log;
location / {
root /home/www/public_html/your.domain.com/public/;
index index.html;
}
}
- Restart Nginx using the command line below:
sudo /etc/init.d/nginx restart
Congratulations! You’ve successfully installed your SSL certificate! To check your work, visit the website in your browser at https://yourdomain.tld and view the certificate/site information to see if HTTPS/SSL is working properly. Remember, you may need to restart your server for changes to take effect.
To check your server’s configurations more thoroughly, use our SSL Checker Tool or contact our Customer Experience Department for additional assistance.