Nginx – Configure SSL

Posted: June 16, 2014 in Uncategorized
Tags: , , ,
Create Private key for you

Please note the you will be prompted to enter a passphrase, please remember the passphrase you entered for a while. You will need it later.

sudo openssl genrsa -des3 -out udara.com.key 1024

Generated private key is similar to below key.

Create a certificate signing request
sudo openssl req -new -key udara.com.key -out udara.com.csr

You will be prompted for pass phrase, and other details needed to create the certificate. Enter the same passphrase you entered in the previous step.

root@udara-ThinkPad-T530: sudo openssl req -new -key udara.com.key -out udara.com.csr
Enter pass phrase for udara.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:LK
State or Province Name (full name) [Some-State]:Western
Locality Name (eg, city) []:COlombo
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Udara Pvt Ltd
Organizational Unit Name (eg, section) []:stratos
Common Name (e.g. server FQDN or YOUR name) []:udara.com
Email Address []:udaraliyanage@gmail.com
Remove the passphrase (Optional)

This step is optional. If passphrase is not removed, you will have to provide pass phrase everytime Nginx is restarted/started.

cp udara.com.key udara.com.key.back
sudo openssl rsa -in udara.com.key.back -out udara.com.key

udara.com.key contains the private key and pass phrase is removed from it.

Self sign the certificate
sudo openssl x509 -req -days 365 -in udara.com.csr -signkey udara.com.key -out udara.com.crt
 Install the keys to Nginx

Create a directory for ssl

	sudo mkdir /et/nginx/ssl

Copy the private key and the signed certificate to the ssl directory.

sudo cp udara.com.crt /etc/nginx/udara.com.crt
sudo cp udara.com.key /etc/nginx/udara.com.key
Configure certificates to Nginx
server {
        listen 443;
        server_name udara.com;

        root /usr/share/nginx/www;
        index index.html index.htm;

        ssl on;
        ssl_certificate /etc/nginx/ssl/udara.com.crt;
        ssl_certificate_key /etc/nginx/ssl/udara.com.key; 
}
Restart Nginx in order to apply the changes
sudo service nginx restart
Test the configurations

Locate the browser to the https://udara.com. You will see a box as below since your browser does not trust your key. Proceed by clicking “I understand the risks”

firefox-ssl

 

Debug SSL certificate  from the command line.

You can view the certificate using command line as below.

openssl s_client -connect udara.com:443
CONNECTED(00000003)
depth=0 C = US, ST = CA, L = Mountain View, O = WSO2, CN = localhost
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = CA, L = Mountain View, O = WSO2, CN = localhost
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=US/ST=CA/L=Mountain View/O=WSO2/CN=localhost
   i:/C=US/ST=CA/L=Mountain View/O=WSO2/CN=localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJV
UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoM
BFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAy
MTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzO
M4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe
0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXn
RS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcN
AQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTm
xbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogR
Kv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=
-----END CERTIFICATE-----
subject=/C=US/ST=CA/L=Mountain View/O=WSO2/CN=localhost
issuer=/C=US/ST=CA/L=Mountain View/O=WSO2/CN=localhost
---
No client certificate CA names sent
---
SSL handshake has read 1100 bytes and written 443 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 061F79D65FD224EDFFC5130BEE77EE37183F1C6AB943315B1B00C64BE6C64DB9
    Session-ID-ctx: 
    Master-Key: 84E05FFF76FF291E0A8FB08981D1CD86407E93B0A1DEC6CD115ACCCFD4514ACC139BCE33D51E73E50F65860A10FAD8CE
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 90 8e 1c dd 0e 56 c5 73-1c 7e 2f dd 21 7a c9 0b   .....V.s.~/.!z..
    0010 - 69 19 e9 7f af b3 74 1d-c1 fc 13 ab 9c c5 15 aa   i.....t.........
    0020 - 8b 15 9d ae 12 0c 1b 4b-97 0a 07 9a 1e 5d 0c cc   .......K.....]..
    0030 - 4c ba 1e 43 09 34 06 55-e9 15 9c be e8 30 94 c4   L..C.4.U.....0..
    0040 - 8d 58 65 4c 19 91 85 09-a7 a5 12 99 03 e5 7c ca   .XeL..........|.
    0050 - 8f c5 cd 71 69 3f 44 76-64 fa 59 ea a5 4e 24 40   ...qi?Dvd.Y..N$@
    0060 - e2 ef 71 11 6d 5a b3 5c-e2 94 4c 79 49 59 2b 1f   ..q.mZ.\..LyIY+.
    0070 - 07 3d e3 a9 6a a1 8c eb-71 c7 30 35 4c 73 59 80   .=..j...q.05LsY.
    0080 - 74 84 25 b5 b7 cc 17 81-10 01 f3 32 c9 44 3e 19   t.%........2.D>.
    0090 - 93 52 13 65 36 4a 13 65-a4 ff 92 a3 fd a6 3e 95   .R.e6J.e......>.

    Start Time: 1402859008
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s