Until the past year I never really bothered to put my projects behind SSL. It always seemed like more of a hassle than it was worth, and I didn’t like the idea of paying $50+ for a properly-signed SSL certificate when none of my projects were commercial or transmitting sensitive information.

As my projects become more elaborate, I began encountering scenarios where encryption really was called for so I began using self-signed certificates to avoid transmitting plain-text passwords. While the connections were secure, the lack of independent verification from a certificate authority resulted in browser warnings that would deter users from proceeding.

Then just this August came the news that Google would be giving a slight rank boost to HTTPS sites and I decided it was finally time for me to break down and buy a certificate. Luckily, there are now a number of affordable options, including a free class 1/individual SSL certificate from StartSSL.com.

In this tutorial we’ll walk through how to obtain a free SSL certificate and install it on Nginx.

Obtain Free SSL Certificate from StartSSL

In order to obtain a free SSL certificate, you’ll need to be able to verify ownership of the domain you’d like to use with the certificate.

Control Panel Authentication

Go to https://www.startssl.com. Click Control Panel in the upper right of the screen.

On the Authenticate or Sign-up? screen click Express Lane.

You’ll arrive at a Personal Enrollment Details screen.  Because this a class 1 certificate, you’ll enter your personal information here rather than that of a business or organization. The email address entered here will be sent a verification code .

[one_half]

[/one_half]

[one_half_last]

[/one_half_last]

Shortly after submitting your registration, you’ll receiver an email with the verification code needed to complete your registration.

With your account active, you’re prompted to generate your initial private key. This certificate is just for authenticating with StartSSL’s control panel. Select 2048 (High Grade) and click Generate. When the key is done generating, click Install.

[one_half]

[/one_half]
[one_half_last]

[/one_half_last]

StartsSSL suggests you back up your client certificates:

Click on the “Options” icon in the upper left (. Select “Settings” from the menu. Click on “Advanced Settings” and then in the HTTPS/SSL section, click on the “Manage certificates…” button. Select the certificate(s) you want to export, click on the “Export…” button and follow the prompts from the Export Certificate Wizard that pops up. Make sure to include the private key as well, export as .p12 file.

Domain Name Validation

Now you can begin the process of generating the certificate for your site. Click on Control Panel and then Validations Wizard. For the Type, choose Domain Name Validation.

You’ll be able to enter your domain and select the appropriate TLD.
[one_half]

[/one_half]
[one_half_last]

[/one_half_last]

You’ll be provided with a list of email addresses for domain verification: hostmaster@, postmaster@, webmaster@, and the domain’s contacts. Select one where you can receive the validation code. This address will be included as the Subject: E attribute on your certificate. Entering the code validates the domain for certificate creation for 30 days.

Return to the Control Panel and go to Certificates Wizard. This time for Certificate Type you’ll select Web Server SSL/TLS Certificate.
[one_half]

[/one_half]
[one_half_last]

[/one_half_last]

Certificate Wizard

Return to Certificates Wizard and for Certificate Target select Web Server SSL/TLS Certificate. Enter a password consisting of 10 to 32 numbers and letters for your key. Keysize can remain 2048 and Secure Hash Algorithm should be SHA2.

After submitting your key password, you’ll be provided with your encrypted private key. Copy and paste the contents of the box into a text file and save it with a .key extension (e.g., rudeotter.key). The key can be decrypted now if you have OpenSSL, otherwise this can wait until after the file has been moved to your server.

[one_half]

[/one_half]

[one_half_last]

[/one_half_last]

After saving your private key, you’re asked to select the top level domain you’d like to use for your certificate. If the domain you want is not in the dropdown menu, you’ll need to add it using the Validations Wizard.

You’ll be asked to enter a subdomain for the domain you just selected. In most cases, you’ll want to use www.

[one_half]

[/one_half]

[one_half_last]

[/one_half_last]

You’ll be able to review the domain and subdomain before processing the certificate. Continue and you’ll either receive your certificate immediately like your private key, or you will be told that an additional check is required.

If you receive your certificate immediately, save it to a text file with a .crt extension (e.g., rudeotter.crt). Otherwise, you’ll have to wait for your request to be approved at which point it can be downloaded by visiting Retrieve Certificate under Tool Box.

[one_half]

[/one_half]

[one_half_last]

[/one_half_last]

Server Location

There are a number of different places to put your keys and certificates when you move them to your server. I’ve started putting mine in /srv/ssl lately, because it just seems to make sense given the Filesystems Hierarchy Standard. That’s also why use /srv/www as well, despite Ubuntu/Debian wanting to keep using /var.

Create the ssl directory if it doesn’t already exist with mkdir -p /srv/ssl and move your certificate and private key there. Decrypt your key if is still encrypted and secure the file’s permissions.

openssl rsa -in rudeotter.key -out rudeotter.key
chmod 400 rudeotter.key

Install SSL certificate in Nginx

With Nginx, you’ll need to append the intermediate certificate to your site’s certificate, creating a chain. It is not necessary to include the root certificate in your chain as it is ignored by clients and uses bandwidth.

Use either of the following to create the necessary SSL certificate chain.

Intermediate Only:

wget -O - https://www.startssl.com/certs/sub.class1.server.ca.pem | tee -a /srv/ssl/rudeotter.crt > /dev/null

Intermediate and Root (unnecessary):

wget -O - https://www.startssl.com/certs/ca.pem https://www.startssl.com/certs/sub.class1.server.ca.pem | tee -a /srv/ssl/rudeotter.crt > /dev/null

To enable SSL, add a server block listening on port 443 with ssl and include the ssl_certificate and ssl_certificate_key parameters. A very basic SSL server block is shown below, if you do not want to support IPv6, just remove listen [::]:443 ssl:

server {
  listen [::]:443 ssl;
  listen 443 ssl;

  server_name rudeotter.com;
  ssl_certificate /srv/ssl/rudeotter.crt;
  ssl_certificate_key /srv/ssl/rudeotter.key;

  root /srv/www/rudeotter.com/htdocs;
  index index.html index.htm
}

To redirect HTTP to HTTPS, 301 redirects can be used just as when www is redirected to root or root to www.

server {
  listen [::]:80;
  listen 80;

  server_name rudeotter.com;

  return 301 https://rudeotter.com$request_uri;
}

Test your new Nginx configuration and SSL certificate:

nginx -t

If all goes well, restart Nginx to use to the configuration:service nginx restart.

Next Steps

Visit your site to see if the green SSL icon appears in the address bar, indicating your free SSL certificate from StartCom was installed successfully. If you an encounter an error, first confirm that you’re using the correct certificate for your domain. Once you’ve confirmed that you’re using the correct certificate, take a look at the Nginx error logs.

As you’re tweaking your SSL settings, you’ll certainly want to do a thorough analysis of your configuration. For this, use the free SSL test from Qualsys. This test will check your certificates, the available protocols and ciphers, and performs handshake simulations. It will let you know if there are any problems with your configuration and if you’re vulnerable to bugs Poodlebleed or Heartbleed.