Prerequisites:-

OS: Ubuntu
Web Server: Nginx
Tools: openssl

Assumptions:-

1. You need to login to server using SSH for issuing various commands
2. Name of the domain name which needs the certification: mydomain.com
3. Private key File: mydomain.com.key
4. CSR : mydomain.com.csr 5. Cert FIle :mydomain.com.cert

Steps:-

1. Generate a RSA private key.
2. Generate Certificate Signing Request(CSR) using the private key.
3. Purchase a Valid SSL Certificate from a Certificate Authority(CA). The CSR needs to be provided to CA.
4. Verify that Private Key Matches Certificate
5. Copy the Certificate to server and make necessary changes.

Generate the Private Key :-

We are generating 2048 bit RSA key. Login to the server and issue following commands
#openssl genrsa -out mydomain.com.key 2048
This will create the key file mydomain.com.key

Generate the CSR :-

You must use the key file you created above to make the CSR file. Run the following command:-
#openssl req -new -key mydomain.com.key -out mydomain.com.csr

You need to enter the following details while generating CSR:-

Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:
Email Address []:

Purchase a Valid SSL :-

You need to purchase a valid SSL certificate from anyone of the CA. You will have to provide the CSR to CA. SO the CA will provide you the mydomain.com.cert.

Verifying that a Private Key Matches a Certificate :-

In order to SSL work correctly, the certificate and the private key should match. Otherwise the SSL won’t work. You can issue the following commands to check the md5 of the files. The MD5 values of all the files MUST be same.
#openssl x509 -noout -modulus -in mydomain.com.cert | openssl md5
#openssl rsa -noout -modulus -in mydomain.com.key | openssl md5
#openssl req -noout -modulus -in mydomain.com.csr | openssl md5

Install the Certificate :-

In Nginx server, normally the SSL certificates are placed under “/etc/nginx/certs” Directory. So copy Key, CSR and Cert files to this directory. Now you need edit the vhost file for the mydomain.com and specify the certificate files. In our case the included vhost file is “/etc/nginx/sites-enabled/mydomain.com“. Please check your “nginx.conf” for the locations of vhost files. Now open the “/etc/nginx/sites-enabled/mydomain.com” and add the following entries to the file:-

ssl on;
ssl_certificate /etc/nginx/certs/mydomain.com.cert;
ssl_certificate_key /etc/nginx/certs/mydomain.com.key;

Please make sure that you have placed the above code inside the server ( } Directive. Restart the nginx service. That is all needed. Now the new certificate must be loaded successfully.

Note:-

Always keep a backup of the private key used for creating the SSL Certificate file. This file is needed while you transfer your account or re- install the certificate. If the key is lost, you need to generate a new key, CSR and buy a fresh new SSL certificate.