Installing SSL certificates in Windows IIS and Linux NGINX

By
Matt Winfield

I’m going to be dual-booting this blog post to talk about SSL certificates! We have a variety of Windows and Linux servers hosting websites here at liquidfish. One of the things that comes up fairly often is SSL certificates for these sites. I thought it would make for an interesting contrast if I went through the process of installing an SSL certificate in both Windows and Linux. In this case we are using Windows running IIS and Linux running nginx.

This would also have the added benefit of documenting this process for internal use. I’m talking to you developers!

Generate your certificate signing request (CSR)

Windows

  1. Open Internet Information Services (IIS) Manager
  2. Click the server name in the left pane and double click "Server Certificates" in the middle pane
  3. Click "Create Certificate Request…" in the right pane
  4. Fill out the fields on this screen as described below
  5. Common name: URL of the website
  6. Organization: Organization registering the site
  7. Organizational unit: Department within the organization registering the site
  8. City/locality: Site of organization
  9. State/province: State of organization
  10. Country/region: Country of organization
  11. Choose your cryptographic service provider and bit length.
  12. *At this point in time, you should be using a bit length of 2048. A coworker sent me a great post that explains why that is among other things here.
  13. Choose a location to save your CSR file

Linux

  1. Run "sudo openssl req -new -newkey rsa:2048 -nodes -keyout ~/example-url.com.key -out ~/example-url.com.csr"
  2. "-newkey rsa:2048" - indicates that this will be using RSA encryption at a 2048 bit length
  3. "-keyout ~/example-url.com.key -out ~/example-url.com.csr" - specifies a destination path and name for the key and csr files
  4. Fill out the fields on screen as described below
  5. Country Name (2 letter code) [XX]: Country of the registering organization
  6. State or Province Name (full name) []: State of the registering organization
  7. Locality Name (eg, city) [Default City]: City of the registering organization
  8. Organization Name (eg, company) [Default Company Ltd]: Name of the registering organization
  9. Organizational Unit Name (eg, section) []: Department within the organization registering the site
  10. Common Name (eg, your name or your server's hostname) []: URL of the website
  11. Email Address []: Not required
  12. A challenge password []: Not required, but can be used to verify the authenticity of the certificate sent by the Certificate Authority issuing the SSL certificate.
  13. An optional company name []: Not required

At this point, you have a CSR file and the next steps can vary depending on the company from whom you are buying your SSL certificate. In general you will upload or paste the contents of your CSR file to the website where you are purchasing the SSL. You will be required to verify your ownership of the domain through various methods, after which you will be able to download your certificate.

When it comes to domain verification, I personally prefer html verification. This means you download a file and upload it to your website’s root directory on the server. This file should then be accessible to the public from http://example-url.com/verification-file.html. This comes in handy when you do not actually own the domain or control DNS for the domain for which you are purchasing the SSL.

Apply your SSL certificate

Windows

  1. Open Internet Information Services (IIS) Manager.
  2. Click the server name in the left pane and double click "Server Certificates" in the middle pane.
  3. Click "Complete Certificate Request…" in the right pane.
  4. Use the file navigator or type out the full path to the certificate file provided by your CA earlier and give a simple name for the certificate.
  5. In the left pane, right click the website that will be using the certificate and click "Edit Bindings".
  6. In the "Site Bindings" window click "Add".
  7. In the new window change the "Type" to "https" and select the certificate you added earlier from the "SSL certificate" drop down.
  8. You’re done!

Linux

  1. Upload the certificate file to the server.
  2. Move the certificate file and the key file (created earlier when you generated the CSR request) into your central repository (commonly /etc/nginx/ssl for nginx).
  3. Modify the site’s nginx config. The boldface lines below were added in this step.
  4. The first "server" block is redirecting all http requests to https.
  5. The second server block is listening for https requests.
  6. You can see that "ssl_certificate" and "ssl_certificate_key" are pointed at the certificate and key files we moved in step 2.
  7. If you are more interested in what the other lines in bold do then I suggest you check out this article.

server {
   listen 80;
   server_name example-url.com;
   return 301 https://example-url.com$request_uri;
}

server {
   listen 443 ssl;
   server_name example-url.com www.example-url.com;
   root /var/www/vhosts/example-url.com/public;

   ## SSL
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
   ssl_prefer_server_ciphers on;
   ssl_certificate /etc/nginx/ssl/example-url.com.crt;
   ssl_certificate_key /etc/nginx/ssl/example-url.com.key;

   index index.html index.php;
   …
   …

That’s it when it comes to installing certificates in Windows running IIS and Linux running nginx! It wasn’t until I reread this post that I noticed how many more steps there are to installing SSLs in Windows. It gave me the idea to try generating a CSR and installing an SSL certificate purely using Powershell on Windows to simplify the process. I might have to write a blog post about that!