OpenSSL is a software library for applications that secure communications over computer networks against eavesdropping or the need to identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS websites.
Prerequisites
Make sure that you have met the following prerequisites before continuing with this tutorial:
- You have a domain name pointing to your public server IP. In this tutorial, we will use
example.com. - You have enabled the EPEL repository and installed Nginx by following How To Install Nginx on CentOS 7 .
Install OpenSSL:
Upgrade the system:
yum -y update
Install required packages:
yum install -y make gcc perl-core pcre-devel wget zlib-devel
Download the latest version of the OpenSSL source code:
wget https://ftp.openssl.org/source/openssl-1.1.1k.tar.gz
Configure, build and install OpenSSL
Uncompress the source file:
tar -xzvf openssl-1.1.1k.tar.gz
Change to the OpenSSL directory:
cd openssl-1.1.1k
Configure the package for compilation:
./config --prefix=/usr --openssldir=/etc/ssl --libdir=lib no-shared zlib-dynamic
Compile package:
sudo make
Test compiled package:
sudo make test
Install compiled package:
sudo make install
Export library path
Create environment variable file:
vim /etc/profile.d/openssl.sh
Add the following content:
export LD_LIBRARY_PATH=/usr/local/lib:/usr/local/lib64
Load the environment variable:
source /etc/profile.d/openssl.sh
Verify the OpenSSL version
openssl version
Creating the SSL Certificate
TLS/SSL functions by a combination of a public certificate and a private key. The SSL key is kept secret on the server and encrypts content sent to clients. The SSL certificate is publicly shared with anyone requesting the content. It can be used to decrypt the content signed by the associated SSL key.
You can create a self-signed key and certificate pair with OpenSSL in a single command:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
Output:
OutputCountry Name (2 letter code) [AU]:IN State or Province Name (full name) [Some-State]:Gujarat Locality Name (eg, city) []:Ahmedabad Organization Name (eg, company) [Internet Widgits Pty Ltd]:Youngster Company Organizational Unit Name (eg, section) []:Information Technology Common Name (e.g. server FQDN or YOUR name) []:server_IP_address Email Address []:admin@your_domain.com
Both of the files you created will be placed in the appropriate subdirectories of the /etc/ssl directory.
While using OpenSSL, you should also create a strong Diffie-Hellman (DH) group, which is used in negotiating Perfect Forward Secrecy with clients.
You can do this by typing:
sudo openssl dhparam -out /etc/nginx/dhparam.pem 4096
2. Configuring Nginx to Use SSL
Create a new configuration file for your Domain:
sudo vim /etc/nginx/conf.d/mydomain.com.conf
Add the following lines inside the file:
server {
listen 80;
listen [::]:80;
root /var/www/your_domain/html;
index index.html index.htm index.nginx-debian.html;
server_name your_domain www.your_domain;
location / {
try_files $uri $uri/ =404;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name your_domain.com www.your_domain.com;
ssl_certificate ssl/procure247-bundle.crt;
ssl_certificate_key ssl/procure247.key;
root /var/www/your_domain/html;
index index.html index.htm index.nginx-debian.html;
location / {
try_files $uri $uri/ =404;
}
}
3. Enabling the Changes in Nginx
With the changes and adjustments to your firewall complete, you can restart Nginx to implement the new changes.
First, check that there are no syntax errors in the files. You can do this by typing sudo nginx -t:
sudo nginx -t
If everything is successful, you will get a result that says the following:
Output nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
Restart the service:
sudo systemctl restart nginx
4. Testing Encryption
Now, you’re ready to test your SSL server.
Open your web browser and type https:// followed by your server’s domain name or IP into the address bar:
https://server_domain_or_IP
Conclusion
Congratulations, you have successfully installed the SSL Certificate on your CentOS 7 server.
Pingback: How to Install Nginx with SSL certificates on CentOS - Youngster Company
Pingback: How to install Nginx 1.20.2 with Source Code in Centos