SSL certificate installation with DigiCert®
--
Here is my story about SSL certificates. I got this ongoing project at my workplace and the site is already secured with SSL. And at the end of its expiration the site went down. (You know how it feels as the developer). I write this article to acknowledge my procedures.
Let’s have some basic knowledge first:
HTTPS — Hypertext Transfer Protocol Secure
Basically it communicates securely through the computer network. This HTTP can be secured by TLS or SSL. Mainly once you secure the transfer it protects against “man-in-the-middle attacks”. As an example, the protection from eavesdropping and tempering. This all happen because of the bidirectional encryption of communication between the client and the server.
SSL — Secure Sockets Layer
TLS — Transport Layer Security
To make the site secure
To create a secure connection to the site we need the SSL certificate. This certificate can be generated and obtained by a Certification Authority (CA). There are many Certification authorities available. Most popular agents are
My story amends with the CA — DigiCert ®
SSL Certificate
This contains a key pair.
- Public Key
- Private Key
Above keys are used to establish a encrypted connection. Also SSL Certificate will contain your
- Domain name
- Company name
- Address
- City
- State
- Country
- Expiration date of the Certificate and details of the CA
Here are the steps to generate and install the SSL certificate.
My project is with Ruby on Rails + Nginx, And my server runs Ubuntu.
Step 01 — Create a CSR
CSR — Certificate Signing Request
We must create a CSR before ordering a SSL certificate.
CSR in an encoded file with the public key and some information that requires to identify the company.
To generate the CSR, following would help. (change the test to your domain name)
openssl req -new -newkey rsa:2048 -nodes -keyout test-domain.key -out test-domain.csrOnce this runs, it asked many question about the organization.
Once completed you list the CSR and the KEY
This is how it looks like inside the CSR
So, in my server, I created a folder named as “ssl”. I did this process inside that folder. So now I have both CSR and the server private key.
Step 02 — Create the SSL certificate
We have bought the certificate from GeoTrust
The certificate will be sent through an email and it will look
-----BEGIN CERTIFICATE-----
[encoded data]
------END CERTIFICATE-----According to the certificate chain we also need the Intermediate CA certificate. This certificate will also look like above. We can fin the intermediate CA certificates from this link.
Finally, we have to concatenate both Intermediate CA certificate and the SSL certificate. We can simple do that process and see the certificate from a single command.
cat ssl_certificate.crt IntermeidateCA.crt >> domain_name.crtThat’s all. Now you have the full certificate with you. Let’s move to the next step.
Step 03 —Install the certificate into the Nginx
Here is the Nginx Config file of mine.
upstream puma {
server unix:///shared/tmp/sockets/pml_prod-puma.sock;
}# Force https for http requests
server {
listen 80;
listen [::]:80;
server_name hello.picturemylife.se;
return 301 https://$host$request_uri;
}server {
charset utf-8;listen 443;ssl on;
ssl_certificate /home/deploy/ssl/test-cert.crt;
ssl_certificate_key /home/deploy/ssl/private-key.key;# side note: only use TLS since SSLv2 and SSLv3 have had recent vulnerabilities
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;#listen 80 default_server deferred;
server_name hello.example.com;root /home/deploy/pml_prod/current/public;
access_log /log/nginx.access.log;
error_log /log/nginx.error.log info;location ^~ /assets/ {
gzip_static on;
expires max;
add_header Cache-Control public;
# Allow CORS
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Mx-ReqToken,X-Requested-With';
}try_files $uri/index.html $uri @puma;
location @puma {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;proxy_pass http://puma;
}error_page 500 502 503 504 /500.html;
client_max_body_size 10M;
keepalive_timeout 10;
}
Only part necessary for the SSL is
listen 443;ssl on;ssl_certificate /home/deploy/ssl/test-cert.crt;
ssl_certificate_key /home/deploy/ssl/private-key.key;
Step 04 — Restart the Server Nginx
we have to restart the Nginx
sudo /etc/init.d/nginx restartStep 05 — Verify the Security
Also, It is better to verify the security. There is a ssltool provided by DigiCert for verification. Here is the link for that.
or else open the following site with the domain-name as a host in params.
https://www.digicert.com/help/?host=domain-name
Here is the result of our server domain.
The End…
