Linux technical support - support@alexlinux.com


installation of certificate in nginx from own certificate authority

in previous part we were installing own local certificate authority

And now we will install web server and test secure connection:

ON NGINX WEB SERVER

yum -y install nginx
mkdir /etc/nginx/pki
# REMOVE PASSWORD FROM FILE
openssl rsa -in intermediate/private/www.alexlinux.com.key \
-out /etc/nginx/pki/www.alexlinux.com.key

Enter pass phrase for intermediate/private/www.alexlinux.com.key:
123123
writing RSA key

cp intermediate/certs/www.alexlinux.com.crt \
/etc/nginx/pki/www.alexlinux.com.crt
cp intermediate/certs/intermediate.crt /etc/nginx/pki/intermediate.crt
cat /etc/nginx/pki/www.alexlinux.com.crt /etc/nginx/pki/intermediate.crt \
> /etc/nginx/pki/bundle.crt
# After that you should copy certs/ca.crt to remote host,
# in my case it is another CentOS 7 server.
scp certs/ca.crt some-remote-centos-host:/etc/pki/ca-trust/source/anchors/
# ADD SERVER BLOCK
server {
    listen   443;
    ssl    on;
    ssl_certificate        /etc/nginx/pki/bundle.crt;
    ssl_certificate_key    /etc/nginx/pki/www.alexlinux.com.key;
    server_name www.alexlinux.com;
    location / {
        root   /usr/share/nginx/html;
        index  index.html;
    }
}

# AND START WEB SERVER
systemctl start nginx

LOGIN TO REMOTE HOST TO CHECK SECURE HANDSHAKE

# ADD RESOLVE ENTRY
echo "192.168.0.205 www.alexlinux.com" >> /etc/hosts
# CHECKING CONNECTION, YOU SHOULD SEE THIS ERROR
openssl s_client -servername www.alexlinux.com -connect www.alexlinux.com:443

………………….
Start Time: 1483731000
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)

# BY THESE TWO COMMANDS WE ADD CA CERTIFICATE TO OS CERTIFICATES STORE
update-ca-trust force-enable
update-ca-trust extract
# AND NOW IT WILL BE OK
openssl s_client -servername www.alexlinux.com -connect www.alexlinux.com:443

………………….
Start Time: 1483731073
Timeout : 300 (sec)
Verify return code: 0 (ok)

That’s it, now everything works fine )

If you will install that certificate on Windows, you will see this:
CA

If something goes wrong, here is the page with check commands

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>