Installing an EV SSL Certificate on Nginx

This is probably one of those things that everyone else knows, and I just didn’t show up for class that day. I had some trouble installing an Extended Validation SSL certificate on a clients site this weekend, mostly due to my own lack of knowledge.

Generate the CSR

The goal of my task was to install an EV SSL certificate on an nginx web server. I had done it before with self-signed and normal (is that the right word?) certificates before. As with any SSL, the process started by generating a Certificate Signing Request (CSR) and a private key on the server. There is tons of documentation about how to do that, in my case it was accomplished using OpenSSL.

Get a Certificate from a Certifying Authority

The next step, which is common to all SSL certificates, was to send the CSR to a company that will issue a trusted SSL certificate. In my case, we chose Comodo since they had the best pricing. The process is pretty simple, and just involves verifying company information and uploading the CSR to them. However, be sure that your company information is in order before ordering an EV SSL certificate- the process of getting approved is much more stringent for extended validation.

I have had a few clients run into problems because their business registration didn’t match their domain registration, or because their physical address differed from their registered address. All of this can be resolved with a letter from a lawyer or an accountant (be sure they are a registered CPA).

Concatenating Multiple CRT Files

What came back from Comodo, in my case, was a ZIP file containing about 5 CRT files. The next step is to put them all together into one file so that nginx can use them. This is easy enough, although it turns out that you should do it in a particular order. Comodo had sent me the following files:

To put them all together into one file, you simply type the following into a terminal:

cat  AddTrustExternalCARoot.crt ComodoEVSGCCA.crt ComodoUTNSGCCA.crt UTNAddTrustSGCCA.crt sample-domain-name_com.crt >> ssl-bundle.crt

Of course, you will have a different name for your domain CRT file, and will probably want to name the output file for your domain. So if your domain is mysite.com, you would call the output file (the file name after the “>>”) mysite_com.crt. It probably doesn’t matter, but it seems like a good idea.

The output file will basically just be a text file with all the certificates put together, so you could just copy and paste all the files (in the right order) into another file and save it with the right name. Whatever method you use, you’ll want to open this file up and copy it’s contents into a new file on the web server, probably at:

/etc/ssl/certs/ssl-bundle.crt

You could also scp the file into place, but for me it’s just easier to copy and paste it. Save this file on the web server and we are almost ready.

Configuring Your Nginx Virtual Host

The last thing that we needed to do was to make some changes in our virtual host file. Basically, just like any other SSL on nginx, you want to point to the file that contains all the certificates that we received from Comodo:

server {
  listen  443;

  ssl  on;
  ssl_certificate  /etc/ssl/certs/mysite_com.crt;
  ssl_certificate_key  /etc/ssl/private/mysite.key;

  server_name mysite.com;
}

Obviously, you want to be sure that you put your key (named mysite.key in the above example) into the correct private directory. From here, restart nginx and the certificate should be fine.

Brian Getting

Published by Brian Getting on Monday, April 20, 2009.
Subscribe to our blog RSS feed.