SSL certificate

Preparing your SSL certificate for your stack

Contents

To add SSL to your stack, you need to have a SSL certificate and key. Some certificate authorities also provide you with an intermediate certificate. Firstly, please make sure that your SSL keys don’t have any passphrases.

Once you have your certificate, key and possibly intermediate certificate, paste them into the appropriate boxes of the SSL certificate add-in. You can also add the domain name if you want to limit the SSL to a certain domain.

Certificate signing request

To generate a key and certificate signing request, follow the steps below.

  1. Generate a private key through your command line, without specifying a passphrase:
  2. $ openssl genrsa -out private_key.key 2048
    
  3. Create a certificate signing request and enter your information as requested:
  4. $ openssl req -new -key private_key.key -out signing_request.csr
    
  5. Provide this CSR file to your certificate authority, who will in turn provide you with a certificate (CRT) file.
  6. Use the original .key file together with this .crt file on Cloud 66.


Important

You cannot use passphrase protected certificate keys with Nginx. Learn how to remove the passphrases from certificate keys.

Intermediate certificates

Some SSL certificate authorities (CA), like RapidSSL, issue certificates that are not fully compatible with all devices (specifically Android devices). This is because they are not the ultimate CAs and usually act as a reseller for other authorities (like VeriSign).

Cloud 66 supports these CAs fully by allowing you to add the intermediate certificate separately into the SSL certificate add-in form.

Multi-domain certificates

When installing multi-domain certificates, certificate authorities such as Comodo typically send you four files:

  1. Root CA Certificate - AddTrustExternalCARoot.crt
  2. Intermediate CA Certificate - COMODORSAAddTrustCA.crt
  3. Intermediate CA Certificate - COMODORSAExtendedValidationSecureServerCA.crt
  4. Your COMODO EV Multi-Domain SSL Certificate - 14637732.crt

To use these, you have to concatenate all files except for the last one (the certificate):

$ cat COMODORSAExtendedValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > bundle_file

Separate domains with different certificates

If this doesn't work make sure that your certificates don't need password.

You may need to serve different parts of your application on separate domains, each with its own SSL certificate. You can use Nginx CustomConfig to set this up - you will basically have two server blocks listening on different domains, and serving different certificates (located on the server):

{% if allow_ssl == true %}

# main domain
server {
listen 443;
ssl on;
ssl_certificate_key /etc/ssl/localcerts/certificate_name_1.key;
ssl_certificate /etc/ssl/localcerts/certificate_name_1.crt;
server_name server_name_1.com;
client_max_body_size 50m;
...
}

# secondary domain
server {
listen 443;
ssl on;
ssl_certificate_key /etc/ssl/localcerts/certificate_name_2.key;
ssl_certificate /etc/ssl/localcerts/certificate_name_2.crt;
server_name server_name_2.com;
client_max_body_size 50m;
...
}

If you’re using the Nginx CustomConfig for multiple domains, will the multiple certificates placed on the server also be placed on extra servers if one would scale up an application with a Loadbalancer in front of it?

Yes, that is correct. The certificate and key would need to be made available on each server, which could either be done with a deploy hook or manually.

  1. Use the original .key file together with this .crt file on Cloud 66. What does that mean??? Please be more specific….

 

You must be logged in to comment on this article