Prior to purchasing a cert, you need to generate a private key, and a CSR file (Certificate Signing Request). You'll be asked for the content of the CSR file when ordering the certificate.
openssl req -new -newkey rsa:2048 -nodes -keyout example_com.key -out example_com.csr
This gives you two files:
- example_com.key -- your Private key. You'll need this later to configure ngxinx.
- example_com.csr -- Your CSR file.
Now, purchase the certificate and download a zip file with the following:
- Root CA Certificate - AddTrustExternalCARoot.crt
- Intermediate CA Certificate - COMODORSAAddTrustCA.crt
- Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
- Your PositiveSSL Certificate - www_example_com.crt (or STAR_example_com.crt for wildcard certificate)
- Combine the above crt files into a bundle (the order matters, here):
cat www_example_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt
2.Store the bundle wherever the web server expects to find it:
mkdir -p /opt/ssl/example_com/
mv ssl-bundle.crt /opt/ssl/example_com/
mv example_com.key /opt/ssl/example_com/
- Ensure your private key and bundle can be read by the web server:
chown www:www -Rf /opt/ssl
- Configure the web server:
Caddy
# /opt/Caddyfile
web.example.com:80 {
redir 301 {
if {scheme} not https
/ https://{host}{uri}
}
root /opt/www/web_example_com
}
web.example.com:443 {
tls /opt/ssl/ssl-bundle.crt /opt/ssl/example_com.key
root /opt/www/web_example_com
gzip
log /var/log/web_example_com.log
}
api.example.com:443 {
tls /opt/ssl/ssl-bundle.crt /opt/ssl/example_com.key
proxy / 127.0.0.1:3000
}
Nginx
# /etc/nginx/conf.d/default.conf
server {
listen 443;
ssl on;
ssl_certificate /opt/ssl/example_com/ssl-bundle.crt;
ssl_certificate_key /opt/ssl/example_com/example_com.key;
# side note: only use TLS since SSLv2 and SSLv3 have had recent vulnerabilities
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ...
}