How to Install a Wildcard Certificate on a Nginx Server?
Introduction
Configuring a wildcard SSL certificate with Nginx is a complicated process that requires the user to execute many steps. In this article, we will discuss step-by-step how-to guides to make sure that the reader never misses anything from the certificate application through to the configuration of the server.
Step 1: Purchase the Wildcard Certificate
Select a Certificate Authority
Choose a respected Certificate provider from which to purchase a Wildcard SSL certificate. Some popular options include DigiCert, Comodo(Sectigo), Certera, GeoTrust, Thawte & RapidSSL.
Create a Certificate Request with a Key
To generate a CSR on your server before buying a Wildcard SSL certificate, you must first check what CA you would like to issue you with a certificate. This request includes the details of your organization and selected domain.
Generate a CSR using OpenSSL:
1. Login to your server as root or use your administrator login details.
2. Run the following OpenSSL command to generate a new private key and CSR:
openssl req -new -newkey rsa:2048 -nodes –keyout your_domain. key -out your_domain. csr
3. This is where the reader is asked to supply some of the missing information. For a Wildcard certificate, use the domain * in the domain name (Common Name) section, for example, *. your_domain. com`.
Here’s an example of the information you’ll need to provide:
Country Name (2-letter code) [AU]: US
State or Province Name (full name) [Some-State]: California
Locality Name (e.g., city): San Francisco
Organization Name (e.g., company): Your Company Name
Organizational Unit Name (e.g., section): IT Department
Common Name (e.g., server FQDN or YOUR name):[]:*.your_domain.com
Email Address: admin@your_domain.com
Please enter the following ‘extra’ attributes to be sent with your certificate request
A challenge password []:
An optional company name []:
4. This command generates two files:
– Private Key: `your_domain. key`
– CSR: `your_domain. csr`
Lodge the CSR request to the CA.
1. Figure out the website of your preferred CA or Reseller.
2. Choose the Wildcard SSL certificate and continue by placing an order for it.
3. You will be asked to provide the CSR while purchasing. Open the `your_domain. csr and paste the content inside it in a text editor, including the lines `—–BEGIN CERTIFICATE REQUEST—–’ and `—–END CERTIFICATE REQUEST—–’ and then paste that in the given response of the CA website.
Complete the Validation Process
The CA will require that you show proof of possessing the domain to which you want the certificate. This process may include:
– Email Validation: Similarly, the CA will send a verification email to a pre-set email (e.g. admin@your_domain. com).
– DNS Validation: You generate a DNS TXT record from a record obtained from your domain.
– HTTP Validation: A specific file that you publish to your site.
Receive Your Certificate
The CA grants your Wildcard SSL certificate when your request passes the validation process. You will typically receive:
– Your Domain Certificate: Here, you can use a `. crt` file or something similar.
– CA Bundle (Intermediate Certificates): A certificate file representing an intermediate bundle.
– Installation Instructions: Some CAs will even supply specific instructions for installing the certificate on different servers.
Download the Certificate Files
It is required to download the provided certificate files on the local machine or the server. It is also imperative that these files are maintained securely.
Step 2: Add Certificate Files to Your Server.
Copy the certificate files to your server. A suitable folder is ‘/etc/nginx/ssl’, but it can be any secure folder.
sudo mkdir -p /etc/nginx/ssl
sudo cp your_domain. crt /etc/nginx/ssl/
sudo cp your_domain. key /etc/nginx/ssl/
sudo cp ca_bundle. crt /etc/nginx/ssl/
Step 3: Attach Certificates (if required).
If the CA provided separate CA bundle and domain certificate files, combine them into a single file:
cat your_domain. crt
ca_bundle. crt > /etc/nginx/ssl/combined. crt
Step 4: Enable Nginx to Use the SSL Certificate.
Modify the Nginx configuration file and specify the paths to the SSL certificate and private key. This location is typically configured in a site-specific configuration file under `/etc/nginx/sites-available/` or directly in the main Nginx configuration file `/etc/nginx/nginx. conf`.
sudo nano/etc/nginx/
sites-available/your_site
Add or modify the server block to include the SSL settings:
server {
listen 443 ssl;
server_name your_domain. com *. your_domain. com;
ssl_certificate /etc/nginx/ssl/combined. crt;
ssl_certificate_key /etc/nginx/ssl/your_domain. key;
ssl_protocols TLSv1. 2 TLSv1. 3;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
location / {
# Your site configuration
Breakdown of SSL Settings:
– `ssl_certificate`: Sets the path to your combined SSL certificate file.
– `ssl_certificate_key`: This is the path to your private key file.
– `ssl_protocols`: Specifies the supported SSL/TLS protocols. TLSv1. 2 and TLSv1. 3 are currently recommended.
– `ssl_ciphers`: Sets the cipher algorithms to use. The example has a powerful set of ciphers.
– `ssl_prefer_server_ciphers`: Enabling this option forces the server to use its preferred ciphers rather than the client’s.
– `ssl_session_cache` and `ssl_session_timeout`: Increase SSL session caching and timeout.
Step 5: Check the Nginx Configurations.
Restarting Nginx test the configuration for syntax errors:
sudo nginx -t
If an error is not found, you see:
nginx: it is to edit the configuration file /etc/nginx/nginx. conf syntax is
ok
nginx: configuration file /etc/nginx/nginx. conf test is successful
Step 6: Reload or Restart the Nginx Web Server
Modify the changes by restarting the Nginx service:
sudo systemctl reload nginx
or
sudo systemctl restart nginx
Step 7: Check the Installation
Use our SSL Checker Tool to Test and see if the SSL certificate has been correctly set up.
Step 8: Redirect HTTP to HTTPS Only (Optional)
It is also possible to redirect HTTP traffic to HTTPS to prevent unsecured traffic on a website.
server {
listen 80;
server_name your_domain. com
*. your_domain. com;
location / {
return 301 https://$host$request_uri;
}
}
Step 9: Enact Additional Security Practices
HTTP Strict Transport Security (HSTS) is a policy mechanism that helps to mitigate and prevent web spoofing and website tampering.
add_header
Strict-Transport-Security “max-age=31536000;
includeSubDomains” always;
Enable OCSP Stapling
OCSP stapling enhances SSL/TLS efficiency by shortening the time taken for validation, allowing the server to access the OCSP responder directly and caching the response.
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate/etc/
nginx/ssl/ca_bundle. crt;
resolver 8. 8. 8. 8. 8. 8. 4. 4
valid = 300s;
resolver_timeout 5s;
Step 10: Reordering the SSL Certificate Renewal
Wildcard SSL Certificates are usually valid for one year. Plan to renew your certificate several days before the expiration with the help of reminders and alarms. The renewal process involves re-creating a new CSR for the website, re-validating the website, and re-uploading the certificate files on the server.
Troubleshooting Common Issues
Incorrect File Permissions
Perform the correct file permissions for the certificate and key files. The Nginx process needs to read these files but not modify them:
sudo chmod 644 /etc/nginx/ssl/
your_domain. key
sudo chmod 644 /etc/nginx/ssl/
combined. crt
Troubleshooting of Nginx Fails to Start or Reload
Check the Nginx error log for detailed error messages:
sudo tail -f /var/log/nginx/
error. log
These include files in the wrong location or format, file permission errors, and configuration files that do not compile.
Conclusion
If you face any troubles or need help, don’t hesitate to contact Certera. Our technical specialists are ready to assist you with anything from the protection of your website from external threats to its fine-tuning for maximum efficiency.