https certificate application process (for nginx)

https certificate application process


In the last article Build linux server completely This paper introduces the whole process of a server from the empty operating system to the last application accessing through https. The last article is relatively simple when it introduces the application of https. Here is a special article to describe the detailed process and the handling of common problems in the process.

https application process

  1. You need to generate the private key file server.key on the server and the file with the csr suffix of the certificate application file.
  2. Upload the certificate application csr to the certification authority for certificate application.
  3. The domainCA.crt file returned from the application certificate, domain name certificate and intermediate certificate are combined into the certificate chain file completeCA.crt (the file name can be customized). Note that some certificates returned by certification authorities are complete and do not need to be processed.
  4. Configure the private key file server.key and complete.crt file in nginx.conf.

Apply for ssl Certificate (for example, global sign platform)

  1. Execute command to generate private key
[root@amdx-dr soft]# keytool -genkey -alias amdx -keyalg RSA -keystore /soft/.keystore
Enter keystore password:  ***
Re-enter new password: ***
What is your first and last name?
  [Unknown]:  domain
What is the name of your organizational unit?
  [Unknown]:  unit
What is the name of your organization?
  [Unknown]:  IT dept
What is the name of your City or Locality?
  [Unknown]:  jiangxi
What is the name of your State or Province?
  [Unknown]:  pingx
What is the two-letter country code for this unit?
  [Unknown]:  CN
Is CN=domain, OU=CTM, O=IT dept, L=jiangxi, ST=pingx, C=MO correct?
  [no]:  y

Enter key password for <amdx>
	(RETURN if same as keystore password):  
Re-enter new password: ***

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /soft/.keystore -destkeystore /soft/.keystore -deststoretype pkcs12".

  1. Execute command to generate public key for Certificate Application
keytool -certreq -alias amdx -file /soft/request.csr -keystore /soft/server.key
  1. Send the request.csr to the customer, and the customer applies for the certificate, which is a base64 string returned by the certificate. (domainCA)
  2. Get rootCA, mediateca, (all base64 strings) IntermediateCA rootCA
  3. The three certificates are combined into the. crt file required by the final nginx
  4. Configure nginx https
server {
       listen       443;
       server_name domain;
	   ssl on;
       ssl_certificate /soft/completeCA.crt;
       ssl_certificate_key /soft/server.key;
       ssl_session_cache    shared:SSL:1m;
       ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        location / {
		client_max_body_size    16m;
              client_body_buffer_size 128k;
              proxy_pass              http://domain;
              proxy_set_header        Host $host;
              proxy_set_header        X-Real-IP $remote_addr;
              proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header           X-Forwarded-Proto https;
              proxy_next_upstream   off;
              proxy_connect_timeout   30;
              proxy_read_timeout      300;
              proxy_send_timeout      300;

Problems encountered

Certificate issue

  1. After nginx configures the https module, the following error occurs when. / nginx -t is executed
[root@amdx-dr sbin]# ./nginx -t
nginx: [emerg] PEM_read_bio_X509_AUX("/soft/") failed (SSL: error:0906D064:PEM routines:PEM_read_bio:bad base64 decode)

Verify the rationality of the certificate:

#Reasonable certificate
[root@amdx-dr soft]# openssl x509 -text -noout -in rootCA.crt 
        Version: 3 (0x2)
        Serial Number:
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
            Not Before: Sep  1 12:00:00 1998 GMT
            Not After : Jan 28 12:00:00 2028 GMT
        Subject: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
 //Certificate of error
 [root@amdx-dr soft]# openssl x509 -text -noout -in domainCA.crt 
unable to load certificate
140406046984080:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:pem_lib.c:824:

If there is no problem with the certificate, continue to the next step.

Private key problem

After the correct certificate is updated, reconfigure the certificate and key, and an error is reported as follows

nginx: [emerg] SSL_CTX_use_PrivateKey_file("/soft/server.key") failed (SSL: 
error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: ANY PRIVATE
 KEY error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib)

After querying the relevant data, it is found that this problem may be caused by the irregular key. Open server.key and find the content is in disorder. Try to modify the file code, the problem still exists

cd /soft
vi server.key
:set fileencoding View encoding
:set fileencoding assin Set encoding

The encoding problem can't be solved. Opening the private key file found that it was garbled, but through the The private key generated by keytool is in jks format and is encrypted. It needs to be extracted by other ways. Reference resources: Nginx certificate configuration: transfer tomcat certificate jks file to nginx certificate.cet and key file The specific steps are as follows:

//View certificate format and content
keytool -list -keystore domain.key
//Input password
Enter keystore password:
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
amdx, Feb 13, 2020, PrivateKeyEntry, 
Certificate fingerprint (SHA1): 37:51:60:6F:CE:99:06:27:9A:FB:6D:0E:E4:E1:CB:BE:4F:38:D9:B1

//Convert ". jks" to ". p12" (certificate Library in PKCS12 format)
keytool -importkeystore -srckeystore server.key.old -srcalias amdx -destkeystore newkeystore.p12 -deststoretype PKCS12
//View new format (pkcs12) certificate Library
keytool -deststoretype PKCS12 -keystore newkeystore.p12 -list
//Extract private key
openssl pkcs12 -nocerts -nodes -in newkeystore.p12 -out server.key
//Last update nginx configuration

The server.key generated in this way is also in base64 format. It is configured into nginx and found that it can be accessed normally.

Alicloud's certificate

In China, alicloud can provide users with free ssl certificates. The https certificates applied for on alicloud are not so complicated. You can directly apply according to the prompts, and then provide download function. You can download windows version. pem file or linux version. crt file.


In the later stage of https certificate problem, it is better to use openssl instead of keytool to generate csr file and private key file. During this processing, many pits were stepped on. The main reason is that it is not clear that the private key generated by keytool needs format conversion. Sometimes dealing with problems is easily misled by the original solution. So to do things, we need to understand the principle. That's not passive.

Tags: Nginx SSL OpenSSL encoding

Posted on Thu, 26 Mar 2020 09:13:42 -0700 by ronnimallouk