This topic describes how to download an SSL certificate from the Alibaba Cloud SSL Certificates console and install it in your Nginx/Tengine server.

Prerequisites

You selected Automatic for CSR Generation when applying for the certificate.

In this example, the certificate name is domain name, the certificate file is named domain name.pem and the key file is named domain name.key.

Procedure

  1. Log on to the Alibaba Cloud SSL Certificates console.
  2. On the SSL Certificates page, locate the target SSL certificate and click Download in the lower-right corner.

  3. In the Download Certificate dialog box, locate the row that contains the certificate whose Server Type is Nginx/Tengine, and click Download in the Actions column to download the package to your local host.
  4. Decompress the package.
    The following two files are extracted:
    • Certificate file (suffixed with .pem or of .pem file format)
    • Key file (suffixed with .key or of .key file format)


    Note The .pem certificate file is a Base64-encoded text file and you can modify its extension as needed.

    For more information about the certificate format, see What are the formats of mainstream digital certificates?

  5. Create a cert directory in the Nginx installation directory, and copy the downloaded certificate file and key file to the cert directory.
    Note If you have selected Manual for CSR Generation when applying for the certificate, place the private key file in the cert directory.
  6. Open Nginx installation directory > conf > nginx.conf. In the nginx.conf file, locate the following attributes:
    
    # HTTPS server
      server {
      listen 443;
      server_name localhost;
      ssl on;
      ssl_certificate cert.pem;
      ssl_certificate_key cert.key;
      ssl_session_timeout 5m;
      ssl_protocols SSLv2 SSLv3 TLSv1;
      ssl_ciphers ALL:! ADH:! EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
      ssl_prefer_server_ciphers on;
      location / {
    						
    Modify the nginx.conf file as follows:
    
    The attributes that start with "ssl" are related to certificate configurations, while the others can be configured as needed.
    server {
    listen 443;
    server_name localhost;  # Replace localhost with the domain name bound to your certificate.
    ssl on;   #Set this attribute to On to enable the SSL function.
    root html;
    index index.html index.htm;
    ssl_certificate cert/domain name.pem;   #Replace domain name.pem with the name of your certificate file.
    ssl_certificate_key cert/domain name.key;   #Replace domain name.key with the name of your private key file.
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:! NULL:! aNULL:! MD5:! ADH:! RC4;  #Use this cipher suite.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;   #Change protocols.
    ssl_prefer_server_ciphers on;   
    location / {
    root html;   #Set the site directory.
    index index.html index.htm;   #Add an attribute.
    }
    }
    							
  7. (optional)Configurec http request to force to jump to https,and you can access via use http protocol. Modify nginx.conf file as follows:
    server {
        listen 80;
        server_name localhost;  #replace localhost with domain name bound by the certificate.
        return    301 https://$server_name$request_uri; 
    }
    server { 
        listen 443 ssl; 
        server_name localhost;  #replace localhost with domain name bound by the certificate.
    }
  8. Save the nginx.conf file and exit.
  9. Restart the Nginx server.