Site icon CentLinux

How to Add Nginx SSL Certificate in CentOS 8

Share on Social Media

Learn how to add Nginx SSL certificate to your web server on CentOS 8 with this step-by-step guide, enhancing your website’s security and enabling HTTPS. #centlinux #nginx #ssl

Overview

This article has two sections, one is about configuration of self-signed SSL certificates and the other is about installation of CA signed SSL certificates on Nginx web server.

We have been writing many articles on Nginx web server since a long time. But we usually configure the Nginx web sites in plain text i.e. HTTP. It is because, we do not want to divert the focus of the readers from the main topic of that article.

Besides that, we always recommend system administrators to configure their web sites in HTTPS, especially those with an authentication system or a login form.

For this reason, we are now writing a separate article on installation of SSL/TLS certificates in Nginx web server. You may also find a similar article at our Blog on how to install SSL/TLS certificates on Apache web server.

What is an SSL Certificate?

An SSL (Secure Sockets Layer) certificate is a digital certificate that authenticates the identity of a website and encrypts the data transmitted between the web server and the web browser. This encryption ensures that sensitive information, such as login credentials, credit card numbers, and personal details, is securely transmitted, protecting it from being intercepted by hackers or other malicious entities.

SSL certificates are issued by Certificate Authorities (CAs) after a verification process. When a user visits a website with an SSL certificate, their browser checks that the certificate is valid and issued by a trusted CA. If the certificate is valid, the browser establishes a secure, encrypted connection with the server.

SSL certificates are crucial for:

In summary, an SSL certificate is a critical component of modern web security, essential for protecting user data, ensuring privacy, and establishing trust between users and websites.

Recommended Online Training: Learn Bash Shell in Linux for Beginners

Linux Server Specification

We are using a minimal CentOS 8 KVM guest with following specification.

Install Nginx on CentOS 8

First of all, you need to install Nginx web server on your Linux operating system. You are required to have a working instance of Nginx web server, so you can convert the existing websites from HTTP to HTTPS by means of a SSL/TLS certificate.

Connect with nginx-01.centlinux.com as root user by using a SSH client.

Verify the Linux operating system and kernel version.

# uname -a
Linux nginx-01.centlinux.com 4.18.0-193.6.3.el8_2.x86_64 #1 SMP Wed Jun 10 11:09:32 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

# cat /etc/redhat-release
CentOS Linux release 8.2.2004 (Core)

Here, we are using a CentOS Linux 8.2 operating system. But the steps you will performed are almost same for other platforms.

In CentOS 8, Nginx is provided in the form of modules in the default yum repositories. List down the available versions of modules.

# dnf module list nginx
Last metadata expiration check: 0:06:07 ago on Sun 19 Jul 2020 08:50:14 PM PKT.
CentOS-8 - AppStream
Name            Stream             Profiles             Summary
nginx           1.14 [d]           common [d]           nginx webserver
nginx           1.16               common [d]           nginx webserver

Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled

Install the default version of Nginx web server by using dnf command.

# dnf module install nginx

Enable and start nginx.service.

# systemctl enable --now nginx.service
Created symlink /etc/systemd/system/multi-user.target.wants/nginx.service â /usr/lib/systemd/system/nginx.service.

Allow HTTP and HTTPS services in Linux firewall.

# firewall-cmd --permanent --add-service={http,https}
success
# firewall-cmd --reload
success

Open URL http://nginx-01.centlinux.com in a web browser.

Nginx Default Homepage

Your Nginx web server has been installed successfully.

Add Nginx SSL Certificate (Self Signed) in Web Server

You can use self-signed SSL/TLS certificates for you Nginx websites, if you are hosting a website in a network, where the users are well aware about the authenticity of your website. Or you do not have configured a certificate authority for your network.

A self-signed SSL/TLS certificate is one which is not signed by a Certificate Authority (CA). These type of security certificates are easy to generate and do not cost money.

Create nginx directory in /etc/pki to store SSL/TLS certificate and private key.

# mkdir -p /etc/pki/nginx/private

Generate a private key and SSL/TLS certificate by using openssl command.

Openssl package is by default installed on a minimal CentOS / RHEL 8 operating system. But in case, you may not found it on your Linux server then you can to install openssl package by using dnf command.

# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/nginx/private/nginx-01.key -out /etc/pki/nginx/nginx-01.crt
Generating a RSA private key
................................+++++
.+++++
writing new private key to '/etc/pki/nginx/private/nginx-01.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:PK
State or Province Name (full name) []:Sindh
Locality Name (eg, city) [Default City]:Karachi
Organization Name (eg, company) [Default Company Ltd]:CentLinux
Organizational Unit Name (eg, section) []:IT Lab
Common Name (eg, your name or your server's hostname) []:nginx-01.centlinux.com
Email Address []:ahmer@nginx-01.centlinux.com

Edit Nginx configuration files and add a server block to enable HTTPS for your website.

# vi /etc/nginx/nginx.conf

Nginx configuration file already contain a server block for HTTPS, but these directives have been commented by default.

Uncomment following lines therein and update the paths of ssl_certificate and ssl_certificate_key.

# Settings for a TLS enabled server.

    server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  _;
        root         /usr/share/nginx/html;

        ssl_certificate "/etc/pki/nginx/nginx-01.crt";
        ssl_certificate_key "/etc/pki/nginx/private/nginx-01.key";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_ciphers PROFILE=SYSTEM;
        ssl_prefer_server_ciphers on;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

}

Restart nginx.service to apply the changes.

# systemctl restart nginx.service

Open URL https://nginx-01.centlinux.com in a web browser. The web browser will will give you a warning about security certificate of the website. Ignore it and continue to your website.

Add Nginx SSL Certificate (CA Signed) in Web Server

Just like we used a self-signed SSL/TLS certificate above, anyone can generate and use a security certificate for their websites. Thus raises a big question mark on the authenticity of thoset websites.

Therefore, to ensure the authenticity of a SSL/TLS certificate and a website, you are required to digitally signed your security certificate by a Global Certificate Authority.

Authenticity of that Global Certificate Authority (CA) is also ensured by a SSL/TLS certificate (known as rootCA certificate) which are by default installed in all famous web browsers.

To get your SSL/TLS certificate signed by a certificate authority (CA). You need to generate and send a Certificate Signing Request (CSR) to that CA.

But before generating a CSR, you are required a private key for encryption. Therefore, you should generate a private key by using the openssl command.

# openssl genrsa -out /etc/pki/nginx/private/nginx-01.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.......................................................................................+++++
..................+++++
e is 65537 (0x010001)

Now, generate a CSR by using the above private key.

# openssl req -new -key /etc/pki/nginx/private/nginx-01.key -out /etc/pki/nginx/nginx-01.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:PK
State or Province Name (full name) []:Sindh
Locality Name (eg, city) [Default City]:Karachi
Organization Name (eg, company) [Default Company Ltd]:CentLinux
Organizational Unit Name (eg, section) []:IT Lab
Common Name (eg, your name or your server's hostname) []:nginx-01.centlinux.com
Email Address []:ahmer@nginx-01.centlinux.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Send this CSR to the CA by using email, or any other communication medium.

CA will then digitally signed the CSR and will send back two files.

In Nginx web server, you need to merge both of these certificates in a single file. Therefore, we are generating a certificate bundle file as follows.

# cat nginx-01.crt CA.crt >> /etc/pki/nginx/bundle.crt

Edit Nginx configuration file to enable HTTPS and install the CA signed SSL/TLS certificate.

# vi /etc/nginx/nginx.conf

You need to add a server block to enable HTTPS in Nginx. Luckily, Nginx configuration files already contain a server block specific to SSL/TLS configuration.

Locate and uncomment following server block. You have to update the location of SSL/TLS certificate and private key therein.

# Settings for a TLS enabled server.

    server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  _;
        root         /usr/share/nginx/html;

        ssl_certificate "/etc/pki/nginx/bundle.crt";
        ssl_certificate_key "/etc/pki/nginx/private/nginx-01.key";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_ciphers PROFILE=SYSTEM;
        ssl_prefer_server_ciphers on;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

}

Restart the Nginx service to apply changes.

# systemctl restart nginx.service

Open URL https://nginx-01.centlinux.com in a web browser. This time the page will be served over HTTPS without throwing any warning or error.

We recommend a very good book for the readers of this article, Bulletproof SSL and TLS (PAID LINK) by Ivan Ristic for understanding and deploying SSL/TLS and PKI to secure servers and web applications.

Final Thoughts

Adding an SSL certificate to your Nginx server on CentOS 8 is a crucial step in securing your website and ensuring that your users’ data is protected. By following the steps outlined in this guide, you can enhance your website’s security, build trust with your visitors, and comply with industry standards for data protection.

If you need professional assistance with adding an SSL certificate to your Nginx server or any other server configuration tasks, I offer expert services on Fiverr. Feel free to check out my service offerings and get in touch for personalized support: How to Add Nginx SSL Certificate in CentOS 8.

Thank you for reading, and I look forward to helping you secure your website!

Exit mobile version