Docs
ussl
Certificate Deployment
Nginx Deployment

Nginx Deployment

I. Acquiring PEM-formatted certificate public and private keys

Firstly, log into the SSL console: https://{{consoleURLwithoutHttp}}/ussl/ussl. Afterwards, download the certificate.

Certificate format: pem for nginx (After downloading the certificate, open the Nginx folder)

After decompression, two files will be obtained: the pem suffix is the certificate’s public key + ca certificate file (e.g., public.pem), the key suffix is the private key file (e.g., private.key)

II. Deploy the certificate in Nginx and optimize the SSL configuration

Go to the conf directory of nginx, find the nginx.conf file, and modify or configure it as follows:

server {
        listen       443; (ps: for nginx 1.15 and versions above, modify to listen 443 ssl;)
        server_name  www.trustasia.com # your domain, such as www.abc.com;
        ssl                  on;
        ssl_certificate      /xxx/xxx/server.pem; # Configure according to actual path and filename
        ssl_certificate_key  /xxx/xxx/server.key; # Configure according to actual path and filename
        ssl_session_timeout  5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Configure according to this protocol
        ssl_ciphers  ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; # Configure according to this suite
        ssl_prefer_server_ciphers   on;
        location / {
            root   html; # Site Directory
            index  index.html index.htm;
        }
}

Below are the explanations for the configuration file parameters: listen 443

SSL access port number is 443

ssl on

Enable SSL function

ssl_certificate

Certificate file server.pem

ssl_certificate_key

Private key file server.key

ssl_protocols

Protocol in use

ssl_ciphers

Configure encryption suite, syntax follows openssl standard

After configuring, use bin/nginx –t to test if there are any errors in the configuration. If there are no errors, it is recommended to restart nginx.

III. Using full-site encryption and auto-redirecting http to https (optional)

For users, they either don’t know about https, or they know about https but due to laziness, they don’t want to input https. Thus arises a requirement to auto-redirect http requests to https at the server level.

In terms of the server configuration, a js script can be added to the webpage, redirection can be coded into the backend, or the web server can be used to implement redirection. Nginix supports rewrite (as long as pcre is not removed during compilation).

In the http server, add rewrite ^(.*) https://$host$1 permanent;

This allows requests coming in at port 80 to be redirected to https.

Certificate hostingCertificate Deployment for Tomcat8.5/Tomcat9