Knowledgebase

The difference between free certificates and paid certificates
Firstly, free SSL certificates come without insurance or SLA protection, making them suitable for personal projects and short-term websites. However, for long-term operating websites, we do not recommend using free SSL certificates. In such cases, you will need to purchase a paid SSL certificate.
For regular websites, we recommend dnshe's SSL DV certificate, which costs only $4 per year for a single domain name, and $40 per year for a generic domain name, commonly known as a "wild card" certificate. This price is quite affordable.
For commercial websites, it is recommended to purchase OV certificates. Although the price is expensive, it is more secure because it requires verification of the organization to issue the certificate, while ordinary DV certificates only require verification of the domain name to be issued.
Generate Certificate Issuance Request (CSR)
You must have a Certificate Signing Request (CSR) to apply for the issuance of an SSL certificate.
Here we use OS X, Linux, UNIX, and similar systems as examples. UNIX based operating systems generally have built-in OpenSSL or GnuTLS toolchains, and you need the executable file of OpenSSL to exist in the system:
Debian / Ubuntu
RHEL / CentOS / Fedora
Arch Linux
openSUSE / SuSE
apt install openssl
Interactive CSR generation
Firstly, generate a CSR that will be used to request an SSL certificate, using a 2048 bit RSA certificate as an example:
openssl req -new -newkey rsa:2048 -sha256 -nodes -out example_com.csr -keyout example_com.key -subj "/C=CN/ST=Beijing/L=Beijing/O=Example Inc/OU=Network Dept/CN=example.com"
Code meaning
C Country Code
ST Province, State
L City
O Company Name
OU Department Name
CN Common Name， Generally, domain names that require certificate issuance
If you are planning to issue a generic domain name certificate, use *. sample.com as the CN (common name):
openssl req -new -newkey rsa:2048 -sha256 -nodes -out example_com.csr -keyout example_com.key -subj "/C=CN/ST=Beijing/L=Beijing/O=Example Inc/OU=Network Dept/CN=*.example.com"
If you want to generate an ECC certificate, the command looks like this:
openssl ecparam -out example_com.key -name prime256v1 -genkey && openssl req -new -key example_com.key -nodes -out example_com.csr -subj "/C=CN/ST=Beijing/L=Beijing/O=Example Inc/OU=Network Dept/CN=example.com"
If you are preparing to issue a multi domain certificate, please use the following command to include all domains
openssl req -new -newkey rsa:2048 -sha256 -nodes -out example_com.csr -keyout example_com.key -subj "/C=CN/ST=Beijing/L=Beijing/O=Example Inc/OU=Network Dept/CN=example.com/subjectAltName=DNS.1=sub1.example.com,DNS.2=sub2.example.com,DNS.3=sub.another-example.com"
If you are preparing to issue an IP certificate, leave CN (common name) blank
openssl req -new -newkey rsa:2048 -sha256 -nodes -out example_com.csr -keyout example_com.key -subj "/C=CN/ST=Beijing/L=Beijing/O=Example Inc/OU=Network Dept/CN=/subjectAltName=DNS.1=192.0.2.1,DNS.2=192.0.2.2"
Purchase and place an order to obtain the certificate file
The process of purchasing certificates on all websites is the same. Submit the content of the exemplar_com.cSR file, fill in relevant information, make payment, wait for email notification for verification, and open after verification.
According to the regulations of CA/Browser Forum, the verification methods for ordinary DV single domain or multi domain certificates can be HTTP/HTTPS, domain administrator email, and DNS records (usually TXT or CNAME records) for verification. For pan domain certificates, currently only DNS record verification is supported.
According to another regulation of CA/Browser Forum, the validity period of all SSL certificates shall not exceed 13 months (397 days), and all paid or free certificates on the market shall not exceed this validity period. Those who deceive you into buying a two-year or five-year certificate are actually deceiving you. In fact, they will issue you a one-year certificate first, and the second year will be renewed for free. The renewal process is the same as the reissuance process, and your domain name or organization needs to be re verified.
I won't go into too much detail here. After completing the purchase, you will receive a file similar to exemplar_com.crt, which contains the public key of the certificate, as well as other information about the certificate, such as expiration date, domain name, issuer, etc. It should be noted that this certificate chain is generally incomplete, and some merchants may send you the complete certificate chain. If you forcefully configure it on Nginx, it may cause some browsers to prompt certificate errors. In this case, you can use the What's My Chain Cert service to copy the contents of the CRT file and download the complete certificate chain:
The process of purchasing certificates on all websites is the same. Submit the content of the exemplar_com.cSR file, fill in relevant information, make payment, wait for email notification for verification, and open after verification.
According to the regulations of CA/Browser Forum, the verification methods for ordinary DV single domain or multi domain certificates can be HTTP/HTTPS, domain administrator email, and DNS records (usually TXT or CNAME records) for verification. For pan domain certificates, currently only DNS record verification is supported.
According to another regulation of CA/Browser Forum, the validity period of all SSL certificates shall not exceed 13 months (397 days), and all paid or free certificates on the market shall not exceed this validity period. Those who deceive you into buying a two-year or five-year certificate are actually deceiving you. In fact, they will issue you a one-year certificate first, and the second year will be renewed for free. The renewal process is the same as the reissuance process, and your domain name or organization needs to be re verified.
I won't go into too much detail here. After completing the purchase, you will receive a file similar to exemplar_com.crt, which contains the public key of the certificate, as well as other information about the certificate, such as expiration date, domain name, issuer, etc. It should be noted that this certificate chain is generally incomplete, and some merchants may send you the complete certificate chain. If you forcefully configure it on Nginx, it may cause some browsers to prompt certificate errors. In this case, you can use the What's My Chain Cert service to copy the contents of the CRT file and download the complete certificate chain:
At this point, we will receive a file similar to exemplar_com.chai.crt, and we will throw the exemplar_com.key and exemplar_com.chai.crt into the server.
At this point, remember to open the file 'exception_com.chai.crt' and name the CA root certificate, except for the content of 'exception_com.crt', as a separate file named 'exception_com.cart'
We finally obtained the following documents:
Purpose of file name
/Etc/nginx/ssl/sample_com.key Certificate private key generated locally or on the server using OpenSSL
/The certificate public key provided by the etc/nginx/ssl/sample_com.crt service provider is useless and can be lost
/Etc/nginx/ssl/sample_com.chai.crt is the complete certificate chain
/Etc/nginx/ssl/sample_com.cart CA root certificate
Remember to leave them on your server, such as creating and placing them in the/etc/nginx/SSL directory.
Configure Nginx SSL certificate to enable HTTPS
So you can refer to the following configuration. Please note that only the website with the default first listening port can use default_derver and reuseport in the listen section. If you need to add more websites, please remove these two parameters:
Jump to all HTTP requests:
server {
listen 80 default_server;
listen [::]:80 default_server;
location / {
return 301 https://$host$request_uri;
}
}
Generate dhparam file:
madir -p /etc/nginx/ssl
openssl dhparam -dsaparam -out /etc/nginx/ssl/dhparam 2048
You can also directly use Mozilla to generate a good one for you if you dislike being slow:
curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/nginx/ssl/dhparam
Then listen to port 443 and enable HTTP/2, HTTP/3, OCSP, TLS 1.2, TLS 1.3, and HSTS Preload:
For example, using 'example. com', the website directory is located at/var/www/example. com
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
#Enable HTTP/3
listen 443 quic reuseport;
listen [::]:443 quic reuseport;
#Enable HTTP/2
http2 on;
server_name example.com;
root /var/www/example.com;
index index.html;
ssl_certificate /etc/nginx/ssl/example_com.chain.crt;
ssl_certificate_key /etc/nginx/ssl/example_com.key;
ssl_trusted_certificate /etc/nginx/ssl/example_com.ca.crt;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_dhparam /etc/nginx/ssl/dhparam;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
add_header Alt-Svc 'h3=":443"; ma=86400';
add_header Referrer-Policy strict-origin-when-cross-origin;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
ssl_stapling on;
ssl_stapling_verify on;
#Please modify DNS for domestic machines by yourself
resolver 1.1.1.1 8.8.8.8 valid=300s;
resolver_timeout 10s;
}
Then test Nginx configuration and reload:
nginx -t
nginx -s reload
Eventually, you can open it in a browser https://example.com/ Check if it is effective