How to Install SSL Certificate on NGINX Server

If you want to secure your website and improve its security, you need to install an SSL certificate on your NGINX server. In this guide, we will walk you through the process of installing an SSL certificate on NGINX server. Securing your website with an SSL certificate is crucial in today’s digital landscape, and NGINX is a popular choice for web servers. This guide will provide a step-by-step walkthrough of the process. Installing an SSL certificate on an NGINX server doesn’t have to be a daunting task.

Step 1: Generate a private key and a certificate signing request (CSR).

To generate a private key and a CSR, you can use the openssl command-line tool. Here is an example of how to do it:

# Generate a self-signed certificate 
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /path/to/your/private.key -out /path/to/your/certificate.crt

Country Name (2 letter code) []:
State or Province Name (full name) []:
Locality Name (eg, city) []:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []: your_ip_address
Email Address []:

This command generates a self-signed X.509 certificate using OpenSSL. Here is what each option does:

• -x509: This option tells OpenSSL to create a self-signed certificate instead of a CSR. Self-signed certificates are useful for testing purposes, but they are not trusted by web browsers.
• -nodes: This option tells OpenSSL not to encrypt the private key with a passphrase. This makes it easier to use the private key in your NGINX configuration.
• -days 365: This option tells OpenSSL to create a certificate that is valid for 365 days.
• -newkey rsa:2048: This option tells OpenSSL to generate a new RSA private key with a key size of 2048 bits.
• -keyout /path/to/your/private.key: This option tells OpenSSL to save the private key to the specified file.
• -out /path/to/your/certificate.crt: This option tells OpenSSL to save the certificate to the specified file.

Step 2: Obtain an SSL Certificate

The first step is to obtain an SSL certificate from a trusted Certificate Authority (CA). You can either purchase an SSL certificate from a third-party provider, or you can generate a free SSL certificate using Let’s Encrypt.

Step 3: Install NGINX

You need to have NGINX web server installed on your system. If it is not already installed, you can do so by running the following command:

$ sudo apt-get update
$ sudo apt-get install nginx

Step 4: Configure NGINX to Use SSL

Next, you need to configure NGINX to use SSL. To do so, follow these steps:

Create a new directory for your SSL certificate:

$ sudo mkdir /etc/nginx/ssl

Copy your SSL certificate and private key to the new directory:

$ sudo cp /path/to/your/certificate.crt /etc/nginx/ssl/ 
$ sudo cp /path/to/your/private.key /etc/nginx/ssl/

Open the NGINX configuration file in a text editor:

$ sudo nano /etc/nginx/sites-available/default

Add the following lines to the file, inside the server block:

listen 443 ssl;
ssl_certificate /etc/nginx/ssl/certificate.crt;
ssl_certificate_key /etc/nginx/ssl/private.key;

Save and close the file.

Test the NGINX configuration file:

$ sudo nginx -t

If there are no errors, reload NGINX:

$ sudo service nginx reload

That’s it! Your NGINX server is now configured to use SSL. You can test it by visiting your website using HTTPS protocol (https://yourwebsite.com/).

Alternative Solutions for Installing SSL Certificate on NGINX Server

While the above method provides a manual approach to installing an SSL certificate on an NGINX server, there are alternative methods that can simplify the process, especially when dealing with Let’s Encrypt certificates. Here are two such alternatives:

1. Using Certbot (Recommended for Let’s Encrypt)

Certbot is a free, open-source software tool that automates the process of obtaining and installing Let’s Encrypt certificates. It integrates seamlessly with NGINX and simplifies the entire SSL configuration.

Explanation:

Certbot automates several tasks:

• It obtains a certificate from Let’s Encrypt.
• It modifies your NGINX configuration to use the certificate.
• It sets up automatic certificate renewal.

This eliminates the need to manually create CSRs, copy files, and edit configuration files. Certbot handles everything for you, making the process significantly easier and less prone to errors.

Installation and Usage:

1. Install Certbot:

   On Ubuntu/Debian:

   sudo apt update
   sudo apt install certbot python3-certbot-nginx

   On CentOS/RHEL:

   sudo yum install epel-release
   sudo yum install certbot python3-certbot-nginx

2. Run Certbot:

   sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

   Replace yourdomain.com with your actual domain name. Certbot will automatically detect your NGINX configuration and prompt you to configure HTTPS settings.

3. Follow the prompts:

   Certbot will ask you a few questions, such as whether you want to redirect HTTP traffic to HTTPS. Answer these questions according to your preferences.

4. Automatic Renewal:

   Certbot automatically sets up a cron job to renew your certificates before they expire. You can test the renewal process with:

   sudo certbot renew --dry-run

Advantages:

• Automation: Simplifies the entire SSL certificate installation and renewal process.
• Security: Follows best practices for SSL configuration.
• Free: Uses Let’s Encrypt certificates, which are free to use.
• Easy Renewal: Automates the renewal process, preventing certificate expiration issues.

2. Using a Web Hosting Control Panel (cPanel, Plesk, etc.)

Many web hosting providers offer control panels like cPanel, Plesk, or DirectAdmin. These control panels often have built-in tools for managing SSL certificates, simplifying the installation process.

Explanation:

Web hosting control panels provide a graphical interface for managing various aspects of your web hosting account, including SSL certificates. These panels typically include features to:

• Generate CSRs.
• Install SSL certificates.
• Manage certificate renewals.

Using a control panel eliminates the need to use the command line or manually edit configuration files.

General Steps (varies depending on the control panel):

1. Log in to your control panel.
2. Find the SSL/TLS Manager (or similar). The exact name and location of this feature will vary depending on the control panel.
3. Generate a CSR (if you don’t already have one). The control panel will guide you through the process of entering the necessary information.
4. Purchase or obtain an SSL certificate.
5. Upload or paste the certificate into the control panel. The control panel will typically provide a field for the certificate itself and a separate field for the private key.
6. Install the certificate. The control panel will automatically configure your web server (NGINX in this case) to use the certificate.

Advantages:

• User-Friendly Interface: Provides a visual interface for managing SSL certificates, making it easier for users who are not comfortable with the command line.
• Simplified Process: Automates many of the steps involved in installing and managing SSL certificates.
• Integrated Management: Centralizes SSL certificate management within the control panel.

Disadvantages:

• Dependence on Control Panel: The specific steps and features will vary depending on the control panel being used.
• Cost: Web hosting control panels are often part of a paid hosting plan.

In conclusion, while manual configuration is possible, using Certbot or a web hosting control panel offers more streamlined and automated solutions for installing SSL certificates on NGINX servers, especially for Let’s Encrypt certificates. Choosing the best method depends on your technical expertise, hosting environment, and preference for automation. Knowing how to install SSL certificate on NGINX server is essential for any website owner.