Last Sunday I had my first chance of buying an SSL certificate and setting it up on Nginx. Prior to that I have always just signed with my own CA, and then just import my own CA’s certificate into browser’s root certificate repository.

Anyway. What happened was on a website I am developing, I have provided some API via Javascript, so this guy I am partnering with can just include my dynamically generated Javascript to produce content on his site. However, his site runs entirely on HTTPS but mine is not, so you get that dreadful This Page Contains Both Secure and Non-Secure Items error message in some IE versions.

I guess the easiest way for me to fix it up is actually running the site on HTTPS as well. So I went out and bought a certificate from GoDaddy ($18/year — why so much price difference?), but it wasn’t that trivial as GoDaddy does not have any installation instruction for Nginx, which my site is running under. Why not?! Consider Ngnix already has a sizable market penetration (especially if are a Russian malware distributor). Well, here are the steps.

1. Buy the SSL Certificate

GoDaddy I got mine from GoDaddy‘s TurboSSL Certificate for $20/year, although there are lots of coupons out there that gives you 10% off. I know you can also get very cheap SSL certs from resellers of RapidSSL. Seriously I have no idea about the pricing difference from a technical point of view. These are just your public keys signed by the certificate authority, aren’t they? But I guess its probably the verification process that makes the difference.

I am not running an ecommerce site, so the cheapest one suits me fine. Nor do I want any phone/fax verification because (1) I do not live in the US (2) I need my cert right now!

2. Download the Certificate

GoDaddy provides information on how you can use OpenSSL to generate a private key for your webserver, create a certificate request, and then paste this request onto GoDaddy’s site for verification.

After the request has been verified, a certificate will be generated for you to download. As there is no Nginx option, choose Apache 2.x. You will get a ZIP containing two files:

  1. <Common Name>.crt — Your certificate.
  2. gd_intermediate_bundle.crt — GoDaddy Certificate Intermediates Bundle

If you don’t see the second file, you should be able to download it from their repository.

3. Upload Them onto Webserver

You need to concatenate your certificate file and GoDaddy’s intermediate certificate to form the final certificate. I usually name my files domain.crt. Then you need to upload both your private key file (generated in step 2) and the certificate file to your server running Nginx.

For example if your domain is example.com:

# cat example.com.crt gd_intermediate_bundle.crt > /etc/nginx/example.com.crt
# cp example.com.key /etc/nginx/example.com.key

Note that concatenating the two files together is important. SSL certificate issuers are chained, and the intermediate bundle provides the “missing link” between well-known certificate authorities in your browser’s root CA list, and your website’s own certificate.

4. Turn on SSL Module in Nginx

Now you can activate your SSL site in Nginx. Use the following configuration in your nginx.conf:

server {
    listen 443;
    server_name example.com;
    ssl on;
    ssl_certificate /etc/nginx/example.com.crt;
    ssl_certificate_key  /etc/nginx/example.com.key;
    ...
}

Restarting Nginx, and your web server will now be serving encrypted content.