Securing Nginx with HTTPS

SSLAdding a certificate and using the HTTPS protocol is a good improvement to the security in the communication between the browser and the server, and should be in place on all sites that have a user login. Contrary to what many (older) guides say, it doesn’t add much load on your server and is fairy easy and cheap to set up right.

First of all, make sure Nginx is installed and running. I highly recommend running the latest version from Nginx’ own Ubuntu repository.

Generate key and CSR

Generate the server’s private key:

$ openssl genrsa -out /etc/ssl/private/ 2048

The number (2048) is the key length. Anything shorter is considered to be unsafe soon and should be avoided for new keys. Anything longer is unnecessary and will only waste CPU.

Generate the Certificate Signing Request (CSR):

$ openssl req -new -key /etc/ssl/private/ -out /etc/ssl/private/

Fill in the requested fields, but please note the following:

  • Enter your FQDN for “Common Name (e.g. server FQDN or YOUR name)” In this case it’s “”
  • Press [ENTER] (blank) for “A challenge password”

Most Certificate Authorities will issue a certificate that is valid for both and if you provide as FQDN. The opposite is NOT the case.

Make sure the files are readable by root only:

$ chmod 0400 /etc/ssl/private/*

Acquire the certificate from a CA

Go to the web site of a Certificate Authority or affiliate. For securing regular web sites, I usually get a domain validated Comodo PositiveSSL certificate from They’re really cheap and more than good enough for most cases.

When you get the certificate from the CA – usually within an hour – place it in /etc/ssl/certs/

Intermediate Certificate Advisory

The certificate issuer will most likely provide you with a Intermediate Certificate Advisory or two. You MUST install the intermediate certificates on the server together with the certificate.

Save the intermediate certificate to /etc/ssl/certs/

In my case the two provided intermediate certs will be these two files:


Concatenate the certificates to one file (order is important):

$ cat /etc/ssl/certs/ /etc/ssl/certs/COMODORSADomainValidationSecureServerCA.crt /etc/ssl/certs/COMODORSAAddTrustCA.crt > /etc/ssl/certs/

Configure Nginx

Copy your existing server block and add the 4 SSL specific lines so the start of your new server block looks like this:

server {
    listen 443 ssl http2;
    ssl_certificate /etc/ssl/certs/;
    ssl_certificate_key /etc/ssl/private/;

Now reload your config and you should be done:

$ service nginx reload

You are now done with the basic configuration of HTTPS on Nginx. Next steps is first to enable SPDY enable HTTP/2 and then you should dive into the optimizing HTTPS on Nginx.


  1. Thanks for your nice tutorial!
    In the Configure Nginx I would mention you must edit the nginx.conf file (on Linux Ubuntu is located by default at /etc/nginx/nginx.conf) and that the block server { … } goes inside of the block html { … } :

    html {

    server {


    1. The block you’re mentioning is called http, and it will usually have an include statement to include files (in a subdirectory) with server blocks. It is much cleaner to organize your Nginx config this way.
      But that is way out of scope for this post, which assumes you already have a basic Nginx configuration.

  2. I dont own a domain and use localhost as the server_name. I want to use HTTP/2 to connect my client with the server. Can i use HTTP2 connection without using HTTPS or can I generate certificate for localhost?

    1. The HTTP/2 spec does not require HTTPS, but in practice all clients do. You can generate a self-signed certificate and use that.

Comments are closed.