How to install SSL certificates with OpenSSL for Nginx

OpenSSL is a software library for applications that secure communications over computer networks against eavesdropping or the need to identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS websites.

Prerequisites

Make sure that you have met the following prerequisites before continuing with this tutorial:

You have a domain name pointing to your public server IP. In this tutorial, we will use example.com.
You have enabled the EPEL repository and installed Nginx by following How To Install Nginx on CentOS 7 .

Install OpenSSL:

Upgrade the system:

yum -y update

Install required packages:

yum install -y make gcc perl-core pcre-devel wget zlib-devel

Download the latest version of the OpenSSL source code:

wget https://ftp.openssl.org/source/openssl-1.1.1k.tar.gz

Configure, build and install OpenSSL

Uncompress the source file:

tar -xzvf openssl-1.1.1k.tar.gz

Change to the OpenSSL directory:

cd openssl-1.1.1k

Configure the package for compilation:

./config --prefix=/usr --openssldir=/etc/ssl --libdir=lib no-shared zlib-dynamic

Compile package:

sudo make

Test compiled package:

sudo make test

Install compiled package:

sudo make install

Export library path

Create environment variable file:

vim /etc/profile.d/openssl.sh

Add the following content:

export LD_LIBRARY_PATH=/usr/local/lib:/usr/local/lib64

Load the environment variable:

source /etc/profile.d/openssl.sh

Verify the OpenSSL version

openssl version

Creating the SSL Certificate

TLS/SSL functions by a combination of a public certificate and a private key. The SSL key is kept secret on the server and encrypts content sent to clients. The SSL certificate is publicly shared with anyone requesting the content. It can be used to decrypt the content signed by the associated SSL key.

You can create a self-signed key and certificate pair with OpenSSL in a single command:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

Output:

OutputCountry Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Gujarat
Locality Name (eg, city) []:Ahmedabad
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Youngster Company
Organizational Unit Name (eg, section) []:Information Technology
Common Name (e.g. server FQDN or YOUR name) []:server_IP_address
Email Address []:admin@your_domain.com

Both of the files you created will be placed in the appropriate subdirectories of the /etc/ssl directory.

While using OpenSSL, you should also create a strong Diffie-Hellman (DH) group, which is used in negotiating Perfect Forward Secrecy with clients.

You can do this by typing:

sudo openssl dhparam -out /etc/nginx/dhparam.pem 4096

2. Configuring Nginx to Use SSL

Create a new configuration file for your Domain:

sudo vim /etc/nginx/conf.d/mydomain.com.conf

Add the following lines inside the file:

server {
        listen 80;
        listen [::]:80;

        root /var/www/your_domain/html;
        index index.html index.htm index.nginx-debian.html;

        server_name your_domain www.your_domain;

        location / {
                try_files $uri $uri/ =404;
        }
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name your_domain.com www.your_domain.com;
    
    ssl_certificate ssl/procure247-bundle.crt;
    ssl_certificate_key ssl/procure247.key;

 root /var/www/your_domain/html;
      index index.html index.htm index.nginx-debian.html;

  location / {
                try_files $uri $uri/ =404;
        }
}

3. Enabling the Changes in Nginx

With the changes and adjustments to your firewall complete, you can restart Nginx to implement the new changes.

First, check that there are no syntax errors in the files. You can do this by typing sudo nginx -t:

sudo nginx -t

If everything is successful, you will get a result that says the following:

Output
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Restart the service:

sudo systemctl restart nginx

4. Testing Encryption

Now, you’re ready to test your SSL server.

Open your web browser and type https:// followed by your server’s domain name or IP into the address bar:

https://server_domain_or_IP

Conclusion

Congratulations, you have successfully installed the SSL Certificate on your CentOS 7 server.

How to install SSL certificates with OpenSSL for Nginx

Prerequisites

Install OpenSSL:

Configure, build and install OpenSSL

Export library path

Verify the OpenSSL version

Creating the SSL Certificate

2. Configuring Nginx to Use SSL

3. Enabling the Changes in Nginx

4. Testing Encryption

Conclusion

This Post Has 2 Comments

Leave a Reply Cancel reply

Prerequisites

Install OpenSSL:

Configure, build and install OpenSSL

Export library path

Verify the OpenSSL version

Creating the SSL Certificate

2. Configuring Nginx to Use SSL

3. Enabling the Changes in Nginx

4. Testing Encryption

Conclusion

Please Share This Share this content

You Might Also Like

What is Linux? Distributions, History, and File System

What is Swap Partition and how to create it on Linux

Linux User & Group Management

Difference between Linux and Unix

Difference between Linux and Windows

Reasons Why We Should Use Linux?

This Post Has 2 Comments

Leave a Reply Cancel reply

Share this content