Today I decided to switch over my website to https mode and acquire a signed certificate for my website. I took the Comodo CA option and have gone for a free 30 day trial period. If things go smooth I might go ahead and purchase the certificate plan. I also learnt about three standardised different levels of validations plans from Cerificate Authorities i.e.
- Domain Validation : These types of certificate validations provide ssl encryption and certificate authority validates the ownership of the domain against the email address using whois record for the domain. This is the cheapest kind and the one I am using for this website at the moment. If you are committing financial transactions on your site its better to atleast get a OV certificate, which I explain next.
- Organisation Validation : These kind of certificate validations involve more extensive checks including in-person checks of your organisation’s details before a certificate is issued for your website. these are more secure.
- Extended Validation Certificates : These kind of certificates are issued after extremely intensive checks on your organisations. these are the most reliable certificates you can get. If your site uses this kind of certificate, it will get the elusive green bar in the address bar of your browser with your company name mentioned alongside. like all the bank websites get.
Installing the certificate is quiet easy.
First test that things work with ssl on your nginx server.
First of all create directory to hold the key and certs:
create a key and unsigned certificate file for yourself:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/example.com.key -out /etc/nginx/ssl/example.com.crt
Your original nginx conf file probably looks like this:
put these lines in your nginx virtualhost configuration file:
listen 443 ssl;
When you login to your website using the https url after this the unsigned cert will cause it to through a certificate validation error.
In the next steps we must create a certificate signing request(csr) of a .csr file. Certificate Authority will only ask for your csr file to create your new certificate, so lets create the .csr file next.
openssl x509 \
-in example.com.crt \
-signkey example.com.key \
-x509toreq -out example.com.csr
This will create the certificate Signing request for your domain. Upload it to the CA, pay the fees and they will come back with a certificate of their own. Replace /etc/nginx/ssl/example.com.crt with the file provided by the CA. Thats it!! congratulations, you now have a https site that doesn’t throw the annoying certificate error message!