Setting up PositiveSSL w/nginx
Posted By nick, March 3, 2015
So you have a working site running behind nginx, and you want to secure traffic to it.
We use Namecheap for domain name registration and SSL certificates. They sell Comodo PositiveSSL certificates for a great price, and they’re perfect for general sites needing legitimate SSL certificates.
First you must simply purchase the certificate, from Namecheap this is easy and there’s no reason to describe it here.
Generate the private key and CSR
Assuming you don’t already have a private key generated, you can both generate that and the CSR (Certificate Signing Request) at the same time:
You will be prompted to answer several questions about the certificate being requested. Rackspace has a decent description of each.
Submit the request to Comodo
YMMV, but for Namecheap, the process is to go to the SSL Certificates management page and “activate” the certificate you previously purchased. Select “nginx” as the server type, and paste the previously-generated CSR contents into the form.
Get the CSR contents into your clipboard (for pasting into the form) from your terminal by:
Before submitting, you’ll likely need to verify some information, it will vary by provider. Once the request is submitted, you’ll receive a verification email from Comodo, complete that. The certificate should then be generated and emailed to you.
Create the combined certificate
The certificate will come as a ZIP file with your certificate and several intermediate ones. You need to smash these together into a single file. Order matters with this file, pay attention!
Install the certificate and private key
You now have 2 important files:
Copy these to your server. Common locations are:
It doesn’t matter too much where it is, but you probably want the directory to have
750 permissions and be owned by root. As for the private key, being owned by root and
640 permissions are also recommended.
Within your site’s nginx configuration file, change the
listen port to
443, and enable SSL.
ssl_protocols change is a result of the POODLE attack, and restricts nginx to use a more secure set of protocols. This may exclude some older browsers from accessing your site, so heads up.
After that, restart nginx and test it out!