Nginx – What do I do with the files from the ssl certificate download

nginxssl

I am setting up an nginx server for the first time using ssl. I bought an ssl certificate, did the whole thing where I generate a csr. I have activated my ssl purchase and finally downloaded the certificate.

When I downloaded the certificate I got a zip folder. the zip folder had 3 files in it; my_site.ca-bundle , my_site.crt, and my_site.p7b .

I understand how I am supposed to configure nginx , but I don't know the significance of the ca-bundle and the p7b file that was included in the download.

for nginx configuration I just need a crt file and the key from when I generated the CSR:

server {
    listen              443 ssl;
    server_name         www.example.com;
    ssl_certificate     www.example.com.chained.crt;
    ssl_certificate_key www.example.com.key;
    ...
}

Are the ca-bundle and p7b files important, or is the crt file the only thing I need?

Best Answer

http://nginx.org/en/docs/http/configuring_https_servers.html

Some browsers may complain about a certificate signed by a well-known certificate authority, while other browsers may accept the certificate without issues. This occurs because the issuing authority has signed the server certificate using an intermediate certificate that is not present in the certificate base of well-known trusted certificate authorities which is distributed with a particular browser. In this case the authority provides a bundle of chained certificates which should be concatenated to the signed server certificate. The server certificate must appear before the chained certificates in the combined file:

$ cat www.example.com.crt bundle.crt > www.example.com.chained.crt

Since your SSL vendor has provided you with a CA bundle, you probably need it. Combine your .crt and .ca-bundle files into a file, put it on the server, and point ssl_certificate at it.

You should be the only one with the ssl_certificate_key file - you'd likely have generated it when you made your CSR.

Ignore the .p7b, I believe it's for IIS.

Related Solutions

SSL Certificate – How to Download SSL Certificate from a Website

In order to download the certificate, you need to use the client built into openssl like so:

echo -n | openssl s_client -connect $HOST:$PORTNUMBER -servername $SERVERNAME \
    | openssl x509 > /tmp/$SERVERNAME.cert

That will save the certificate to /tmp/$SERVERNAME.cert.

The -servername is used to select the correct certificate when multiple are presented, in the case of SNI.

You can use -showcerts if you want to download all the certificates in the chain. But if you just want to download the server certificate, there is no need to specify -showcerts. The x509 at the end will strip out the intermediate certs, you will need to use sed -n '/-----BEGIN/,/-----END/p' instead of the x509 at the end.

echo -n gives a response to the server, so that the connection is released

openssl x509 removes information about the certificate chain and connection details. This is the preferred format to import the certificate into other keystores.

SSL Error – Unable to Read Server Certificate from File

Is it possible that the lines are ^M-terminated? This is a potential issue when moving files from Windows to UNIX systems. One easy way to check is to use vi in "show me the binary" mode, with vi -b /etc/apache2/domain.ssl/domain.ssl.crt/domain.com.crt.

If each line ends with a control-M, like this

you've got a file in Windows line-terminated format, and apache doesn't love those.

Your options include moving the file over again, taking more care; or using the dos2unix command to strip those out; you can also remove them inside vi, if you're careful.

Edit: thanks to @dave_thompson_085, who points out that this answer no longer applies in 2019. That is, Apache/OpenSSL are now tolerant of ^M-terminated lines, so they don't cause problems. That said, other formatting errors, several different examples of which appear in the comments, can still cause problems; check carefully for these if the certificate has been moved across systems.

Best Answer

Related Solutions

SSL Certificate – How to Download SSL Certificate from a Website

SSL Error – Unable to Read Server Certificate from File

Related Topic