Create SSL Certificate

Important

These instructions related to manually obtained SSL certificates. To use lets encrypt certificates see Obtain and configure ssl certificate on nginx with letsencrypt

To install an SSL certificate, see Install SSL Certificate

Note

To validate the domain name, you will need to receive an email. If you are not using Google Mail, then set-up MailGun by following the instructions in Mailgun

We use two companies for SSL certificates, SSLs.com and StartSSL. The certificates from StartSSL are free, but the web site is complicated to use.

Create a domain folder within the ssl-cert folder e.g. Site - Configuration. Run the following commands in that folder.

SSLs.com

Warning

When using ssls.com the Common Name must include the www i.e. www.hatherleigh.info rather than hatherleigh.info.

Generate your certificate request and private key:

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

Generating a 2048 bit RSA private key
..................+++
.........................................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:Devon
Locality Name (eg, city) []:Okehampton
Organization Name (eg, company) [Internet Widgits Pty Ltd]:www.hatherleigh.info
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:www.hatherleigh.info
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Note

Country code for the UK is GB

Note

Do not enter the email address, challenge password or optional company name). Just press Enter to ignore.

This process will generate two files, server.csr (the certificate request) and server.key (the private key).

Use the certificate request (server.csr) file to request a certificate from https://www.ssls.com/

Confirm Domain ownership by receiving an email - choose webmaster@hatherleigh.info

When the certificate is approved, you will be sent an email containing a couple of certificates.

Copy the Web Server CERTIFICATE into a file called ssl.crt. The certificate is the text starting with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----.

Copy the INTERMEDIATE CA into a file called intermediate.crt. The certificate is the text starting with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----.

Concatenate the two certificates to create a unified certificate:

cat ssl.crt intermediate.crt > ssl-unified.crt

StartSSL

Note

Instructions for http://www.ssls.com/ are similar. See the section above for instructions on generating a certificate request.

Using https://www.startssl.com/, enter the Validations Wizard and choose Domain Validation, enter the Domain Name, select a Verification Email and then enter the verification code sent to the selected email address.

Enter the Certificates Wizard, select Web Server SSL/TLS Certificate, then click Continue.

Add both the example.net and www.example.net into the top box:

_images/startSSL_cert_wizard_view.png

Paste the contents of server.csr into the bottom box. The request is the whole file starting with -----BEGIN CERTIFICATE REQUEST----- and ending with -----END CERTIFICATE REQUEST-----.

Click Submit, then Certificate List, then click Retrieve for the appropriate common name (example.net).

Extract NginxServer.zip from the downloaded file into the ssl-cert folder.

Extract 1_example.net_bundle.crt from the NginxServer.zip and rename it ssl-unified.crt

Install

To copy the certificate to the server, refer to the Install SSL Certificate notes…

Verify

To make sure your certificate matches the private key:

openssl x509 -noout -modulus -in ssl.crt
openssl req -noout -modulus -in server.csr
openssl rsa -noout -modulus -in server.key

Issues

The nginx log showed:

Starting nginx:
nginx: [emerg] SSL_CTX_use_certificate_chain_file("/srv/ssl/www.hatherleigh.info/ssl-unified.crt")
failed (SSL: error:0906D066:PEM
routines:PEM_read_bio:bad end line error:140DC009:SSL
routines:SSL_CTX_use_certificate_chain_file:PEM lib)
nginx: configuration file /etc/nginx/nginx.conf test failed

This was an issue with the line breaks in the concatenated files.

They looked thus:

-----END CERTIFICATE----------BEGIN CERTIFICATE-----

and it should have looked like this:

-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----

To acheieve this we added a blank line to the ssl.crt file, re-concatenated, used fab domain:www.hatherleigh.info ssl to place the new file on the server and then re-started nginx with service nginx restart on the server as root.

For further help solving this issue, see Fixing PEM routines:PEM_read_bio:bad end line error.