installation of certificate in nginx from own certificate authority

in previous part we were installing own local certificate authority

And now we will install web server and test secure connection:

ON NGINX WEB SERVER

yum -y install nginx
mkdir /etc/nginx/pki
# REMOVE PASSWORD FROM FILE
openssl rsa -in intermediate/private/www.alexlinux.com.key \
-out /etc/nginx/pki/www.alexlinux.com.key

Enter pass phrase for intermediate/private/www.alexlinux.com.key:
123123
writing RSA key

cp intermediate/certs/www.alexlinux.com.crt \
/etc/nginx/pki/www.alexlinux.com.crt
cp intermediate/certs/intermediate.crt /etc/nginx/pki/intermediate.crt
cat /etc/nginx/pki/www.alexlinux.com.crt /etc/nginx/pki/intermediate.crt \
> /etc/nginx/pki/bundle.crt
# After that you should copy certs/ca.crt to remote host,
# in my case it is another CentOS 7 server.
scp certs/ca.crt some-remote-centos-host:/etc/pki/ca-trust/source/anchors/
# ADD SERVER BLOCK
server {
    listen   443;
    ssl    on;
    ssl_certificate        /etc/nginx/pki/bundle.crt;
    ssl_certificate_key    /etc/nginx/pki/www.alexlinux.com.key;
    server_name www.alexlinux.com;
    location / {
        root   /usr/share/nginx/html;
        index  index.html;
    }
}

# AND START WEB SERVER
systemctl start nginx

LOGIN TO REMOTE HOST TO CHECK SECURE HANDSHAKE

# ADD RESOLVE ENTRY
echo "192.168.0.205 www.alexlinux.com" >> /etc/hosts
# CHECKING CONNECTION, YOU SHOULD SEE THIS ERROR
openssl s_client -servername www.alexlinux.com -connect www.alexlinux.com:443

………………….
Start Time: 1483731000
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)

# BY THESE TWO COMMANDS WE ADD CA CERTIFICATE TO OS CERTIFICATES STORE
update-ca-trust force-enable
update-ca-trust extract
# AND NOW IT WILL BE OK
openssl s_client -servername www.alexlinux.com -connect www.alexlinux.com:443

………………….
Start Time: 1483731073
Timeout : 300 (sec)
Verify return code: 0 (ok)

That’s it, now everything works fine )

If you will install that certificate on Windows, you will see this:
CA

If something goes wrong, here is the page with check commands

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>