February 08, 2015

Purchase and Install an SSL Certificate

See how to purchase and install a production SSL certificate. Don't miss the followup video where we debug and fix some installation issues.We'll cover purchasing and install an SSL certificate.


I make a mistake here fixed in the next video "Testing and Debugging SSL Certificates"!

Log into your server. I'm using Ubuntu 12.04.4 in this video.

Let's make sure we have openssl installed:

# See that openssl is available to use
which openssl

I choose to add SSL certificates in the /etc/ssl directory.

sudo mkdir /etc/ssl/sfh
cd /etc/ssl/sfh

Generate a private key and a CSR (certificate signing request).

# Generate a New Private Key
sudo openssl genrsa -out "/etc/ssl/sfh/sfh.key" 2048
sudo openssl req -new -key "/etc/ssl/sfh/sfh.key" -out "/etc/ssl/sfh/sfh.csr"

The CSR will ask you a number of questions, including the "common name", the domain name used in your browser. I use serversforhackers.com without www. I did not add a challenge password. If you use one, you'll need to enter it when restarting Apache or Nginx when all is said and done.

After we submit the CSR, we'll get confirmed and then we can (finally!) get our certificate files from wherever we purchased our SSL certificate. Upload that files to your server.

# From my local computer
scp ~/Downloads/serversforhackers_com.zip fideloper:~/

# Then from the remote server, after logged in via ssh
unzip ~/serversforhackers_com.zip
cd ~/serversforhackers_com

# List out the certificate files

# Copy the certificate file into our SSL location
sudo cp serversforhackers_com.crt /etc/ssl/sfh/

The mistake made in this video, talked about in the next video about debugging SSL certificates, is to not concatenate all the SSL certificate files together. See the next video on rectifying that.

We'll next configure Nginx to use this SSL certificate:

# My config file for nginx is just named "sfh"
sudo vim /etc/nginx/sites-available/sfh

Important portions of the Nginx configuration are:

server {
    server_name *.serversforhackers.com;
    return 301 http://serversforhackers.com$request_uri;

server {
    listen 80;
    listen 443;

    server_name serversforhackers.com;

    ssl on;
    ssl_certificate     /etc/ssl/sfh/serversforhackers_com.crt;
    ssl_certificate_key /etc/ssl/sfh/sfh.key;

    # other items omitted

Save and quit, and run a config test:

# Test config
sudo service nginx configtest

# If ok:
sudo service nginx reload

Then we'll check out the firewall settings. I had to open the "https" port 443 for inbound connections.

# Inspect iptables
sudo iptables -L -v

# Add "https" inbound rule,
# I added it as the 6th rule in the chain
sudo iptables -I INPUT 6 -p tpc --dport 443 -j ACCEPT

Then try your https url in the browser and see that you can reach your site over SSL!


Purchase and Install an SSL Certificate

All Topics