First we need to create a private key. Note that this process will
require a passphrase for the key - don't worry, we'll remove it later
to make things easier:
Country Name: GB
State or Province Name: Nottinghamshire
Locality Name: Nottingham
Organization Name: PickledOnion Ltd
Organizational Unit Name: Web Development
Common Name: admin.domain.com
Email Address: webadmin@domain.com
For the 'extra' attributes I simply pressed 'return' (i.e. I left them blank).
Note: For the Common Name I entered the domain name I want to associate with the certificate. In this case I want it for my administration area so I entered 'admin.domain.com'.
You are not restricted to using the certificate with just that domain but it will produce extra warnings if the Common Name does not match the URI.
This is especially problematic if an unexpected reboot occurs as the boot sequence will simply stop until you enter the console via the SliceManager and enter it.
So unless you see a particular need to keep the passphrase, let's remove it:
Now we have three files in the temp folder:
First file to move is the certificate itself:
Once the files have been generated and moved to the /etc/ssl/ directory, we are now ready to configure Nginx to serve our domain from an HTTPS connection.
openssl genrsa -des3 -out myssl.key 1024CSR
Now we need to create a CSR (Certificate Signing Request):openssl req -new -key myssl.key -out myssl.csrCountry Name: GB
State or Province Name: Nottinghamshire
Locality Name: Nottingham
Organization Name: PickledOnion Ltd
Organizational Unit Name: Web Development
Common Name: admin.domain.com
Email Address: webadmin@domain.com
For the 'extra' attributes I simply pressed 'return' (i.e. I left them blank).
Note: For the Common Name I entered the domain name I want to associate with the certificate. In this case I want it for my administration area so I entered 'admin.domain.com'.
You are not restricted to using the certificate with just that domain but it will produce extra warnings if the Common Name does not match the URI.
Remove Passphrase
When we generated the myssl.key file, we had to enter a passphrase. One disadvantage of this is the need to enter the passphrase if the Slice is rebooted.This is especially problematic if an unexpected reboot occurs as the boot sequence will simply stop until you enter the console via the SliceManager and enter it.
So unless you see a particular need to keep the passphrase, let's remove it:
cp myssl.key myssl.key.org
openssl rsa -in myssl.key.org -out myssl.keyNow we have three files in the temp folder:
ls
...
myssl.csr myssl.key myssl.key.orgCRT
The last file we need generate is the actual ssl certificate:openssl x509 -req -days 365 -in myssl.csr -signkey myssl.key -out myssl.crtEverything in its place
Now we need to copy the relevant files to the /etc/ssl/ directory.First file to move is the certificate itself:
sudo cp myssl.crt /etc/ssl/certs/sudo cp myssl.key /etc/ssl/private/Clean up
You are now free to delete the temp file and the four files we generated or, if you prefer, keep them around for a while until you know the ssl certificate works correctly.Summary
Nginx requires more than the standard pem file that Apache is happy with. As such, we need to create a ssl key and a certificate file.Once the files have been generated and moved to the /etc/ssl/ directory, we are now ready to configure Nginx to serve our domain from an HTTPS connection.
No comments:
Post a Comment