Configuring SSL for your domains is still not as simple as it can be. Everytime I do that, I need to refer to my previous notes. Recently, I was using AWS Certificate Manager to setup a PositiveSSL Wildcard certificate, so I thought of putting up my notes on the blog.
Note: This post focuses on configuring SSL, and very less on details about what & why.
Step 1: Generate Certificate Signing Request (CSR) and Private key
openssl req -new -newkey rsa:2048 -nodes -keyout mydomain.key -out mydomain.csr
Enter the details like country, state etc when asked. After this step you will have two files:
Content of these files look like following:
mydomain.csr
-----BEGIN CERTIFICATE REQUEST-----
:
-----END CERTIFICATE REQUEST-----
mydomain.key
-----BEGIN PRIVATE KEY-----
:
-----END PRIVATE KEY-----
Step 2: Buying the certificate from providers
When requesting for your SSL certificate on the providers like namecheap, godaddy etc, you’ll be asked to enter your CSR content. Once you complete all the steps, you’ll receive following files from the provider (I’m taking the example of files from Namecheap where I purchased the certificate)
Step 3: Creating SSL Bundle
Using the files mentioned in Step 2, we’ll be creating a SSL bundle, which is very simple. Just concatenate the content of first three files in right order as mentioned in the command:
cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt
If you want to configure it for NGINX, then you need to concatenate your PositiveSSL certificate as well.
cat STAR_mydomain.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt
Content of the bundle file will look something like this: (for ACM, only three entries will be there)
-----BEGIN CERTIFICATE-----
: - STAR_mydomain.crt
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
: - COMODORSADomainValidationSecureServerCA.crt
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
: - COMODORSAAddTrustCA.crt
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
: - AddTrustExternalCARoot.crt
-----END CERTIFICATE-----
Note:
Step 4: Configuring on NGINX
If you wanted to configure on NGINX, you just need these two files:
In you NGINX configuration, point these parameters to right path, restart NGINX and you’re good to go:
ssl_certificate /etc/nginx/ssl/mydomain/ssl-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/mydomain/mydomain.key;
Step 5: Configuring on Amazon Certificate Manager (ACM)
To configure it with ACM, you need to go through couple of more steps, as they required the certificates to be in certain format. First convert your private key to .pem format:
openssl rsa -in mydomain.key -text > mydomain-private-key.pem
Content:
-----BEGIN RSA PRIVATE KEY-----
:
-----END RSA PRIVATE KEY-----
At last, to upload these certificates on ACM, use the following command:
aws acm import-certificate \
--certificate file:///Users/rootcss/Downloads/ssl/STAR_mydomain.crt \
--private-key file:///Users/rootcss/Downloads/ssl/mydomain-private-key.pem \
--certificate-chain file:///Users/rootcss/Downloads/ssl/ssl-bundle.crt
Other notes:
openssl pkcs12 -in mydomain-private-key.pfx -out mydomain-private-key.pem -nodes
(Enter the created password when asked)
openssl x509 -inform PEM -in ssl-bundle.crt > ssl-bundle.crt
References: