Webmasters all around the web are implementing HTTPS across their sites because Google promised that sites that are all-HTTPS would get a small bump on its search results pages.
Well, we jumped on that news and switched our site to all-HTTPS. For a year we were running only an HTTPS version of this site.
Few weeks ago, we switched from all-HTTPS to HTTP. We did this because our AdSense earnings were hurt badly. Long story which can be read here.
Now, for those who want to still switch their sites to HTTPS can continue below to learn how to do it.
The steps below show you how to implement HTTPS with a self-signed certificates.
Self-signed certificates are signed by your own webserver using its private key. These certificates are not validated or authenticated by third-party certificate authorities.
So when users browse to sites that are using self-signed certificates, they get a warning that the certificate can’t be trusted. Although the certificate is valid and protecting your information, because it isn’t validated by a third-party, browsers will be warned.
You can use these self-signed certificates on test sites or learn how to create them. When you’re ready to add a trusted certificate to your site, you should already know how to generate them.
These are the steps to generate SSL certificates:
Create directories to store your the server private key, certificate and certificate signing request (CSR) files.
To do that run the commands below.
sudo mkdir /etc/nginx/ssl.{key,crt,csr}
The one line command above will create these three directories.
The next thing is to generate the server private key. This key will be used to sign the certificate.
openssl genrsa -des3 -out /etc/nginx/ssl.key/www.yoursite.net.key 2048
The command above generates the server private key and store in it the /etc/nginx/ssl.key folder.
Next, generate a certificate signing request file. This is the file you send to a trusted certificate authority to generate a certificate from.
In our case, we’ll use our own server key to generate a certificate. To generate a CSR file, run the commands below.
openssl req -new -key /etc/nginx/ssl.key/www.yoursite.net.key -out /etc/nginx/ssl.csr/www.yoursite.net.csr
After running the commands below, you’ll be prompted to answer few questions about the resource you’re protecting as well as your information.
Follow the guide below to answer them.
Follow the sample guide below.
- Common Name: The fully-qualified domain name, or URL, you’re securing.
If you are requesting a Wildcard certificate, add an asterisk (*) to the left of the common name where you want the wildcard, for example *.coolexample.com. - Organization: The legally-registered name for your business. If you are enrolling as an individual, enter the certificate requestor’s name.
- Organization Unit: If applicable, enter the DBA (doing business as) name. If you’re securing a single blog, then type the blog owner’s name here.
- City or Locality: Name of the city where your organization is registered/located.
- State or Province: Name of the state or province where your organization is located.
- Country: The two-letter International Organization for Standardization (ISO) format country code for where your organization is legally registered.
At the end, when prompted to type and confirm password, do not enter one.. leave it blank and continue.
Next, run the commands below to generate a SSL certificate for your domain.
openssl x509 -req -days 365 -in /etc/nginx/ssl.csr/www.yoursite.net.csr -signkey /etc/nginx/ssl.key/www.yoursite.net.key -out /etc/nginx/ssl.crt/www.yoursite.net.crt
The certificate is generated using the CSR and server private key. The certificate will be store in cert folder.
The final step is to enable SSL for your Nginx powered website. In different Linux distributions, Nginx is stalled in different locations.
What you need to do is find Nginx default site configuration page and add these lines in the server block of the file.
ssl on;
ssl_certificate /etc/nginx/ssl.crt/www.yoursite.net.crt;
ssl_certificate_key /etc/nginx/ssl.key/www.yoursite.net.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
Also, don’t forget the change the listen directory to port 443 as shown below.
listen www.yoursite.net:443 ssl default_server;
That’s it! Restart your Nginx webserver and test the site, and it should load using HTTPS.
Enjoy!