, , ,

I’ve found myself using Nginx more and more for web-server duties. It’s solid, flexible and can handle highly concurrent loads without much fuss. A while ago I also found startSSL – who offer free basic SSL certificate signing. I haven’t purchased one from them yet but their rates look pretty good. The one hurdle to overcome, is you need to chain your certificate to their Root CA and Class 1 Intermediate Server CA certificates. To do that with Nginx you need to place your site certificate in the same file as the pem files StartSSL provide. In the directory where you’re keeping your certificate, download the StartSSL Root and Intermediate cert:

wget http://www.startssl.com/certs/ca.pem
wget http://www.startssl.com/certs/sub.class1.server.ca.pem

Then chain/concatenate/stick them all in the same file as the certificate for your host:

cat your-domain.crt sub.class1.server.ca.pem ca.pem > ssl-chained.crt

Which will give you one file containing all three certificates. The last step is to let Nginx know about your certificate and private key file. In your Nginx config/vhost config file add this:

ssl  on;
ssl_certificate  /etc/nginx/ssl/ssl-chained.crt;
ssl_certificate_key  /etc/nginx/ssl/private.key;

Reload your Nginx config and you should be ready to go. Before you start using SSL certificates/https on your website I urge you to do some reading up about what you’re doing and what ‘security’ you’re getting. It’s more about trust than encryption. Also make sure your private key remains private, with proper access restrictions and handling.