CSR to SSL Conversion and Installation Guide

Securing your website with an SSL certificate is essential for encrypting data and ensuring trust. This guide walks you through converting a Certificate Signing Request (CSR) into an SSL certificate, extracting necessary files, setting up your Nginx server, and verifying SSL installation.

Step 1: Extract Certificates from PFX (if needed)

If you receive your SSL certificate in a .pfx file format, you need to extract the .crt and .key files for Nginx configuration. Use the following commands:

openssl pkcs12 -in ssltest-bd.ssl.com.pfx -clcerts -nokeys -out ssltest-bd_ssltest_com.crt
openssl pkcs12 -in ssltest-bd.ssl.com.pfx -nocerts -nodes -out ssltest-bd_ssltest_com.key

This will generate:

  • ssltest-bd_ssltest_com.crt (SSL Certificate)
  • ssltest-bd_ssltest_com.key (Private Key)

Step 2: Create the Chain Certificate

Nginx requires a full chain certificate to function properly. Concatenate the intermediate and root CA certificates using:

cat ssltest-bd.ssltest.com.interca.crt ssltest-bd.ssltest.com.rootca.crt > ssltest-bd_ssltest_com_chain.crt

Step 3: Copy Certificates to the Secure Directory

Move the extracted and concatenated certificates to a secure location:

cp ssltest-bd_ssltest_com.crt /etc/ssl/
cp ssltest-bd_ssltest_com.key /etc/ssl/
cp ssltest-bd_ssltest_com_chain.crt /etc/ssl/

Set proper permissions for security:

chmod 644 /etc/ssl/ssltest-bd_ssltest_com.crt /etc/ssl/ssltest-bd_ssltest_com_chain.crt
chmod 600 /etc/ssl/ssltest-bd_ssltest_com.key
chown root:root /etc/ssl/*

Step 4: Update the Nginx SSL Configuration

Create a new configuration file for the SSL-enabled domain:

nano /etc/nginx/conf.d/ssltest-bd.ssltest.com.conf

Add the following content:

server {
    listen 80;
    server_name ssltest-bd.ssltest.com;
    return 301 https://$host$request_uri;  # Redirect HTTP to HTTPS
}

server {
    listen 443 ssl;
    server_name ssltest-bd.ssltest.com;

    root /var/www/ssltest-bd.ssltest.com/public;
    index index.php index.html index.htm;

    ssl_certificate /etc/ssl/ssltest-bd_ssltest_com.crt;
    ssl_certificate_key /etc/ssl/ssltest-bd_ssltest_com.key;
    ssl_trusted_certificate /etc/ssl/ssltest-bd_ssltest_com_chain.crt;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    keepalive_timeout 70;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location ~ \.php$ {
        fastcgi_pass unix:/run/php-fpm/www.sock;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
        fastcgi_intercept_errors on;
        fastcgi_index index.php;
    }

    error_page 404 /404.html;
    location = /404.html {
        root /var/www/ssltest-bd.ssltest.com/public;
        internal;
    }

    access_log /var/log/nginx/ssltest-bd.ssltest.com_access.log;
    error_log /var/log/nginx/ssltest-bd.ssltest.com_error.log;
}

Step 5: Test and Restart Nginx

Verify the Nginx configuration before restarting:

nginx -t

If no errors are detected, restart Nginx to apply the new SSL settings:

systemctl restart nginx

Step 6: Verify SSL Installation

Confirm that SSL is correctly installed using OpenSSL:

openssl s_client -connect ssltest-bd.ssltest.com:443 -servername ssltest-bd.ssltest.com

Alternatively, check using an online SSL checker such as: 🔗 SSL Checker

Conclusion

Following these steps, you have successfully converted your CSR into an SSL certificate, installed it on an Nginx server, and verified its deployment. Ensuring your SSL is configured correctly enhances security and trustworthiness for users visiting your website.

Reference Links:

By following this guide, you ensure that your website remains secure and compliant with modern encryption standards.

Leave a Reply

Your email address will not be published. Required fields are marked *