Search form

Installing an SSL Certificate on Nginx

How to create and install an SSL certificate for Nginx 1.10 on Ubuntu 16. (Apache setup here.) This setup also gets you an A on the SSL Labs SSL Server Test.

Part I: Create and Obtain your SSL Cert

1. Create your key and certificate signing request:

root@ubuntu:/# openssl req -new -newkey rsa:2048 -nodes -keyout -out

2. Move the .key file to your keys directory, readable only by root, e.g., /etc/ssl/keys:

root@ubuntu:/# mv /etc/ssl/keys/.
root@ubuntu:/# chmod 400 /etc/ssl/keys/

3. Purchase a certificate from InCommon, GeoTrust, etc. You'll need to send them the contents of the .csr file generated in step 1. If they ask what kind of cert you want, select OpenSSL.

4. The cert (.crt file) will be emailed to the technical contact in your WHOIS record. If the vendor also sends you an intermediate file, add it to your cert:

root@ubuntu:/# cat >>

5. Create a fix for the weak Diffie-Hellman problem:

root@ubuntu:/# openssl dhparam -out dhparams.pem 2048

6. Place both your and dhparams.pem files in /etc/ssl/certs/ .

Part II: Set Up Nginx

1. Create your /etc/nginx/sites-available/ file:

# For SSL only
server {
        listen 80;
        listen [::]:80;
        server_name;   # redirects http://www and http://non-www to https://non-www
        return 301$request_uri;

# Redirects https://www to https://non-www
server {
        listen 443 ssl;
        return 301$request_uri;

server {
        listen 443 ssl;

        root /var/www/;

        index index.html index.php;

        # Point these to your .key and .crt files from Part I
        ssl_certificate /etc/ssl/certs/;
        ssl_certificate_key /etc/ssl/private/;


        ssl_prefer_server_ciphers on;
        # Point this to your dhparams file from Part I
        ssl_dhparam /etc/ssl/certs/dhparams.pem;


2. Create a symlink in sites-enabled, and restart Nginx:

root@ubuntu:/# ln -s /etc/nginx/sites-available/ /etc/nginx/sites-enabled/
root@ubuntu:/# systemctl restart nginx