Getting Started

Links

• OpenSSL CSR Creation for an Nginx Server SSL Certificate

• Setting up HTTPS with Nginx and StartSSL

Sample

Log on to your web server as root:

root@web:~# openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
Generating a 2048 bit RSA private key
...................+++
.............+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:UK
State or Province Name (full name) [Some-State]:Devon
Locality Name (eg, city) []:Crediton
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Connexion Software Ltd
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:connexionsw.com
Email Address []:patrick.kimber@connexionsw.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
root@web:~#

Note: I did not use either of the extra attributes (challenge password or optional company name). Just press Enter to ignore…

This process will generate two files, server.csr (the certificate request) and server.key (the private key).

Copy the certificate request to your local workstation:

scp root@2.2.2.2:/root/server.csr .

I submitted this certificate request to StartSSL and was supplied with three files, ca.pem, ssl.crt and sub.class1.server.ca.pem

Note: if you forget to download any of these files, then don’t panic! ssl.crt can be downloaded from Control Panel, Toolbox, Retrieve Certificate. I think the other two files are the same for all StartSSL certificates and can be re-used from another download or found on the StartSSL web site (possibly http://www.startssl.com/certs/)

Concatenate the three certificates and copy the unified certificate to the server (Nginx AND StartSSL):

cat ssl.crt sub.class1.server.ca.pem ca.pem > ssl-unified.crt
scp ssl-unified.crt root@95.138.181.79:/srv/ssl/

Update the file permissions on the server:

salt '*' state.highstate