artmouse/startSSL_install_nginx

## startSSL_install_nginx
Go to https://www.startssl.com. Click Control Panel in the upper right of the screen.

On the Authenticate or Sign-up? screen click Express Lane.

You’ll arrive at a Personal Enrollment Details screen.  Because this a class 1 certificate, you’ll enter your personal information here rather than that of a business or organization. The email address entered here will be sent a verification code .

Shortly after submitting your registration, you’ll receiver an email with the verification code needed to complete your registration.

With your account active, you’re prompted to generate your initial private key. This certificate is just for authenticating with StartSSL’s control panel. Select 2048 (High Grade) and click Generate. When the key is done generating, click Install.

StartsSSL suggests you back up your client certificates:

    Click on the “Options” icon in the upper left (. Select “Settings” from the menu. Click on “Advanced Settings” and then in the HTTPS/SSL section, click on the “Manage certificates…” button. Select the certificate(s) you want to export, click on the “Export…” button and follow the prompts from the Export Certificate Wizard that pops up. Make sure to include the private key as well, export as .p12 file.


Domain Name Validation

Now you can begin the process of generating the certificate for your site. Click on Control Panel and then Validations Wizard. For the Type, choose Domain Name Validation.

You’ll be able to enter your domain and select the appropriate TLD.

You’ll be provided with a list of email addresses for domain verification: hostmaster@, postmaster@, webmaster@, and the domain’s contacts. Select one where you can receive the validation code. This address will be included as the Subject: E attribute on your certificate. Entering the code validates the domain for certificate creation for 30 days.

Return to the Control Panel and go to Certificates Wizard. This time for Certificate Type you’ll select Web Server SSL/TLS Certificate.

Certificate Wizard

Return to Certificates Wizard and for Certificate Target select Web Server SSL/TLS Certificate. Enter a password consisting of 10 to 32 numbers and letters for your key. Keysize can remain 2048 and Secure Hash Algorithm should be SHA2.

After submitting your key password, you’ll be provided with your encrypted private key. Copy and paste the contents of the box into a text file and save it with a .key extension (e.g., rudeotter.key). The key can be decrypted now if you have OpenSSL, otherwise this can wait until after the file has been moved to your server.

After saving your private key, you’re asked to select the top level domain you’d like to use for your certificate. If the domain you want is not in the dropdown menu, you’ll need to add it using the Validations Wizard.

You’ll be asked to enter a subdomain for the domain you just selected. In most cases, you’ll want to use www.

You’ll be able to review the domain and subdomain before processing the certificate. Continue and you’ll either receive your certificate immediately like your private key, or you will be told that an additional check is required.

If you receive your certificate immediately, save it to a text file with a .crt extension (e.g., rudeotter.crt). Otherwise, you’ll have to wait for your request to be approved at which point it can be downloaded by visiting Retrieve Certificate under Tool Box.

Server Location

There are a number of different places to put your keys and certificates when you move them to your server. I’ve started putting mine in /srv/ssl lately, because it just seems to make sense given the Filesystems Hierarchy Standard. That’s also why use /srv/www as well, despite Ubuntu/Debian wanting to keep using /var.

Create the ssl directory if it doesn’t already exist with mkdir -p /srv/ssl and move your certificate and private key there. Decrypt your key if is still encrypted and secure the file’s permissions.

openssl rsa -in rudeotter.key -out rudeotter.key
chmod 400 rudeotter.key

Install SSL certificate in Nginx

With Nginx, you’ll need to append the intermediate certificate to your site’s certificate, creating a chain. It is not necessary to include the root certificate in your chain as it is ignored by clients and uses bandwidth.

Use either of the following to create the necessary SSL certificate chain.

Intermediate Only:

wget -O - https://www.startssl.com/certs/sub.class1.server.ca.pem | tee -a /etc/ssl/certs/rudeotter.crt > /dev/null


Intermediate and Root (unnecessary):

wget -O - https://www.startssl.com/certs/ca.pem https://www.startssl.com/certs/sub.class1.server.ca.pem | tee -a rudeotter.crt > /dev/null


To enable SSL, add a server block listening on port 443 with ssl and include the ssl_certificate and ssl_certificate_key parameters. A very basic SSL server block is shown below, if you do not want to support IPv6, just remove listen [::]:443 ssl:

server {
  listen [::]:443 ssl;
  listen 443 ssl;

  server_name rudeotter.com;
  ssl_certificate /srv/ssl/rudeotter.crt;
  ssl_certificate_key /srv/ssl/rudeotter.key;

  root /srv/www/rudeotter.com/htdocs;
  index index.html index.htm
}


To redirect HTTP to HTTPS, 301 redirects can be used just as when www is redirected to root or root to www.

server {
  listen [::]:80;
  listen 80;

  server_name rudeotter.com;

  return 301 https://rudeotter.com$request_uri;
}


Test your new Nginx configuration and SSL certificate:

nginx -t


If all goes well, restart Nginx to use to the configuration:

service nginx restart

 3 down vote


Check that private key indeed matches by looking at the modulus
diff <(openssl rsa -in KEY -modulus -noout) <(openssl x509 -in CERT -modulus -noout)
should produce no output
	Go to https://www.startssl.com. Click Control Panel in the upper right of the screen.

	On the Authenticate or Sign-up? screen click Express Lane.

	You’ll arrive at a Personal Enrollment Details screen. Because this a class 1 certificate, you’ll enter your personal information here rather than that of a business or organization. The email address entered here will be sent a verification code .

	Shortly after submitting your registration, you’ll receiver an email with the verification code needed to complete your registration.

	With your account active, you’re prompted to generate your initial private key. This certificate is just for authenticating with StartSSL’s control panel. Select 2048 (High Grade) and click Generate. When the key is done generating, click Install.

	StartsSSL suggests you back up your client certificates:

	Click on the “Options” icon in the upper left (. Select “Settings” from the menu. Click on “Advanced Settings” and then in the HTTPS/SSL section, click on the “Manage certificates…” button. Select the certificate(s) you want to export, click on the “Export…” button and follow the prompts from the Export Certificate Wizard that pops up. Make sure to include the private key as well, export as .p12 file.


	Domain Name Validation

	Now you can begin the process of generating the certificate for your site. Click on Control Panel and then Validations Wizard. For the Type, choose Domain Name Validation.

	You’ll be able to enter your domain and select the appropriate TLD.

	You’ll be provided with a list of email addresses for domain verification: hostmaster@, postmaster@, webmaster@, and the domain’s contacts. Select one where you can receive the validation code. This address will be included as the Subject: E attribute on your certificate. Entering the code validates the domain for certificate creation for 30 days.

	Return to the Control Panel and go to Certificates Wizard. This time for Certificate Type you’ll select Web Server SSL/TLS Certificate.

	Certificate Wizard

	Return to Certificates Wizard and for Certificate Target select Web Server SSL/TLS Certificate. Enter a password consisting of 10 to 32 numbers and letters for your key. Keysize can remain 2048 and Secure Hash Algorithm should be SHA2.

	After submitting your key password, you’ll be provided with your encrypted private key. Copy and paste the contents of the box into a text file and save it with a .key extension (e.g., rudeotter.key). The key can be decrypted now if you have OpenSSL, otherwise this can wait until after the file has been moved to your server.

	After saving your private key, you’re asked to select the top level domain you’d like to use for your certificate. If the domain you want is not in the dropdown menu, you’ll need to add it using the Validations Wizard.

	You’ll be asked to enter a subdomain for the domain you just selected. In most cases, you’ll want to use www.

	You’ll be able to review the domain and subdomain before processing the certificate. Continue and you’ll either receive your certificate immediately like your private key, or you will be told that an additional check is required.

	If you receive your certificate immediately, save it to a text file with a .crt extension (e.g., rudeotter.crt). Otherwise, you’ll have to wait for your request to be approved at which point it can be downloaded by visiting Retrieve Certificate under Tool Box.

	Server Location

	There are a number of different places to put your keys and certificates when you move them to your server. I’ve started putting mine in /srv/ssl lately, because it just seems to make sense given the Filesystems Hierarchy Standard. That’s also why use /srv/www as well, despite Ubuntu/Debian wanting to keep using /var.

	Create the ssl directory if it doesn’t already exist with mkdir -p /srv/ssl and move your certificate and private key there. Decrypt your key if is still encrypted and secure the file’s permissions.

	openssl rsa -in rudeotter.key -out rudeotter.key
	chmod 400 rudeotter.key

	Install SSL certificate in Nginx

	With Nginx, you’ll need to append the intermediate certificate to your site’s certificate, creating a chain. It is not necessary to include the root certificate in your chain as it is ignored by clients and uses bandwidth.

	Use either of the following to create the necessary SSL certificate chain.

	Intermediate Only:

	wget -O - https://www.startssl.com/certs/sub.class1.server.ca.pem \| tee -a /etc/ssl/certs/rudeotter.crt > /dev/null



	Intermediate and Root (unnecessary):

	wget -O - https://www.startssl.com/certs/ca.pem https://www.startssl.com/certs/sub.class1.server.ca.pem \| tee -a rudeotter.crt > /dev/null



	To enable SSL, add a server block listening on port 443 with ssl and include the ssl_certificate and ssl_certificate_key parameters. A very basic SSL server block is shown below, if you do not want to support IPv6, just remove listen [::]:443 ssl:

	server {
	listen [::]:443 ssl;
	listen 443 ssl;

	server_name rudeotter.com;
	ssl_certificate /srv/ssl/rudeotter.crt;
	ssl_certificate_key /srv/ssl/rudeotter.key;

	root /srv/www/rudeotter.com/htdocs;
	index index.html index.htm
	}



	To redirect HTTP to HTTPS, 301 redirects can be used just as when www is redirected to root or root to www.

	server {
	listen [::]:80;
	listen 80;

	server_name rudeotter.com;

	return 301 https://rudeotter.com$request_uri;
	}



	Test your new Nginx configuration and SSL certificate:

	nginx -t



	If all goes well, restart Nginx to use to the configuration:

	service nginx restart

	3 down vote


	Check that private key indeed matches by looking at the modulus
	diff <(openssl rsa -in KEY -modulus -noout) <(openssl x509 -in CERT -modulus -noout)
	should produce no output