https is pretty much preferred protocol over bare http nowadays and it gets very affordable for basic one sub-domain which you can get as low as $9 a year. However, how to get and use one sometimes pretty much overkill although it is rather simple. Yeah, I keep forgetting since I don’t really have to do that frequent.

Depending on where you purchase SSL certificate, I pick namecheap. I don’t have any reason for it, but they are as reliable as it could be. GoDaddy, to me, is okay–they tend to have lower renewal cost for domain too. Back to SSL certificate, you need to generate a CSR (Certificate Signing Request) to ask for SSL. I’m using openSSL.

# openssl req -nodes -newkey rsa:2048 -keyout mywhatever.key -out whatever.csr

A series of question will be asked:

Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: NH
Locality Name (eg, city) []: Atkinson
Organization Name (eg, company) [Internet Widgits Pty Ltd]: 10ninox Ltd
Organizational Unit Name (eg, section) []: 
Common Name (eg, YOUR name) []:
Email Address []:

A challenge password []: 
An optional company name []:

Some fields can be left blank, but you pretty much like to answer all for your own credential. The thing is you should leave challenge password empty, otherwise, you will have to type that every time your Nginx reload or restart. Then you get 2 file mywhatever.key and whatever.csr

Back to namecheap, issue your SSL, then paste content of whatever.csr to the form. Wait for a verification step via email. Then you would get with following mails. The whole process should take less than 10-15 minutes as far as my experience goes.

Now you have to extract which contains several files something like

  • 10ninox_com.crt
  • PositiveSSLCA2.crt
  • AddTrustExternalCARoot.crt

Merge those files into one, 10ninox-ssl-bundle.csr or whatever name you want.

$ cat 10ninox_com.crt PositiveSSLCA2.crt AddTrustExternalCARoot.crt > 10ninox-ssl-bundle.csr

Then copy the bundle file and mywhatever.key we got earlier to a directory in your server; location is up to you. There is no restricted whatsoever. The last process is to setup Nginx to know where SSL certificate is in Nginx virtualhost file (likely to be /etc/nginx/sites-available/ for Debian)

This is an example how to configure one:

server {
    listen 443;

    ssl on;
    ssl_certificate /opt/projects/10ninox/ssl/10ninox-ssl-bundle.csr;
    ssl_certificate_key /opt/projects/10ninox/ssl/mywhatever.key;
    ssl_protocols SSLv3 TLSv1;
    ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;


optional lines:

  • ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM; means disables all weak ciphers
  • ssl_protocols SSLv3 TLSv1; means enables SSLv3/TLSv1, but not SSLv2 which is weak and should no longer be used.

It’s better to test it first with

# service nginx configtest

If pass,

# service nginx restart