HTTPS is something neat. But there's often some problem with it:
- Certificates are expensive
- Self-signed certificates result in "DANGER!!!1"-annoying warnings
StartSSL offers certificates (to be precise – one) for free, so here's sort of my reminder on how to do this, and a guide for you, on how to do this.
Creating the certificate
First of all we have to create a private key. Start by creating an RSA key (you have to give this a temporary keyword):
openssl genrsa -des3 -out example.com_private.key 4096
Now we create a CSR from our key, openssl will ask some details for your CSR here:
openssl req -new -key example.com_private.key -out example.com.csr
You have to sign up at StartSSL and validate your domain. After this you can create a "Web Server SSL/TLS Certificate" via the "Certificates Wizard" on your StartSSL control panel.
Since we already have a private key we have to skip key generation and instead submit our CSR.
The result will be a signed certificate in PEM format. Just save the content of the displayed text box to e.g. example.com.pem.
To have make these certificates work properly we also need StartSSL's root CA and class 1 intermediate certificate, so download these too.
Before using our certificate we have to remove the temporary keyword from our private key:
openssl rsa -in example.com_private.key -out example.com.key
Make sure no one, except the nginx user can access this, or else communication isn't secure anymore.
Because we have a chain of certs, we now have to concatenate all these:
cat example.com.pem sub.class1.server.ca.pem ca.pem > example.com_chain.pem
Now configure Nginx to use this certificate and you're ready to go.
Some more hints
add_header Strict-Transport-Security max-age=31536000;
add_header X-Frame-Options DENY;