to our existing vhost. For nginx < 0.8.21 we must add the word default to the listen directives whenever you specify additional options like ssl or ipv6only=on. The word default can be used only in one vhost, so when you create further SSL vhosts, you must leave it out and therefore also the additional options (as I understand it, they will be inherited from the vhost that uses the word default).
so that the right rewrite is done depending on the scheme you use (http or https).
Reload nginx afterwards:
The SSL vhost will now use your new private key and self-signed certificate for encryption (but because it is a self-signed certificate, you will get a browser warning when you access https://www.hostmauritius.com):
Of course, it's also possible to create a new SSL vhost instead of adding SSL directives to the existing http vhost. I am going to show two possible configurations here:
I have left the http vhost untouched and added an SSL vhost with the same configuration, except for the SSL part. Instead of adding ssl to the listen line, I use ssl on; here. For nginx < 0.8.21, I have to use listen [::]:443 default ipv6only=on; instead of listen [::]:443 ipv6only=on;.
Instead of using ssl on;, I add the word ssl to the listen lines. Because of this option in the listen lines, you must add the word default for nginx < 0.8.21.
6 Creating A Certificate Signing Request (CSR)
To request a trusted certificate from a trusted CA such as Verisign, Thawte or Comodo, we must generate a certificate signing request (CSR) from our private key and send it to the CA which then creates a trusted certificate from it with which we replace our self-signed certificate.
I will create the CSR in the directory /etc/ssl/csr, so we have to create it first:
Now we can create the CSR /etc/ssl/csr/www.hostmauritius.com.csr from our private key /etc/ssl/private/www.hostmauritius.com.key as follows:
You will be asked a few questions. Please fill in your details, they will be used for creating the trusted certificate and can be seen by your visitors when they choose to view the details of your certificate in their browsers. The most important thing is the Common Name - this must be the domain or hostname of your SSL vhost (www.hostmauritius.com in this case)!
root@server1:~# openssl req -new -key /etc/ssl/private/www.hostmauritius.com.key -out /etc/ssl/csr/www.hostmauritius.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:<-- DE State or Province Name (full name) [Some-State]:<-- Lower Saxony Locality Name (eg, city) :<-- Lueneburg Organization Name (eg, company) [Internet Widgits Pty Ltd]:<-- Example Ltd Organizational Unit Name (eg, section) :<-- IT Common Name (eg, YOUR name) :<-- www.hostmauritius.com Email Address :<-- firstname.lastname@example.org
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password :<-- ENTER An optional company name :<-- ENTER root@server1:~#
Afterwards, you should have a CSR in /etc/ssl/csr/www.hostmauritius.com.csr, e.g. as follows:
To get a trusted certificate, you have to take your certificate signing request (CSR) to a certificate authority (CA) such as Verisign, Thawte, or Comodo (please note that you have to pay for a trusted certificate). Certificates issued by such a CA are trusted by all browsers which means you won't see any browser warnings anymore.
CAcert.org allows you to get free certificates, but the downside is that such certificates are trusted by only a few browsers (which means you will get browser warnings). Anyway, I will use CAcert.org here to show you how to get a certificate from a CA - it should give you the idea, the procedure is the same with the trusted CAs.
Go to CAcert.org and open an account. Afterwards, go to Domains to add your own domain(s) (without a hostname, so if you want to get a certificate for www.hostmauritius.com, you just enter hostmauritius.com without www here). The service will send an email with a link to an email address that it finds in the WHOIS data of the domain - you have to click on that link to verify that you are the owner of the domain. I've verified three domains here:
To get a certificate, go to Server Certificates > New...
... and scroll down to the big text area - this is where you paste your CSR that you've created in chapter 6. Click on Submit afterwards:
Click on Submit again on the next page:
After a few moments, you will see your new certificate:
Now create a backup of your self-signed certificate...
That's it, if your CA doesn't ask you to install a certificate chain file or intermediate certificate in nginx, you're done, and you can now access your SSL vhost (https://www.hostmauritius.com in this case) without a browser warning. (If you use a CAcert.org certificate, you will still see a browser warning as most browsers don't know this CA - read chapter 8 to learn how to make your browser trust CAcert.org certificates).
To manage your existing certificates on the CAcert.org web site, go to Server Certificates > View:
7.1 Certificate Chain Files Or Intermediate Certificates
Some CAs require that you install a certificate chain file or intermediate certificate in nginx (in addition to the certificate that you installed in chapter 7). (Please note that CAcert.org does not require this!).
Because nginx does not have a special configuration directive for chain files or internediate certificates (like Apache does which knows the SSLCertificateChainFile directive) , we simply have to append the chain file to our certificate. Let's assume you have downloaded the chain file to /etc/ssl/certs/CAcert_chain.pem. You can now append it to the certificate /etc/ssl/certs/www.hostmauritius.com.pem as follows: