1. Generate SSL request
First generate the key, replace "mysite.com" with your site domain name.openssl genrsa -out www.mysite.com.key 2048
then the request,openssl req -new -key www.mysite.com.key -out www.mysite.com.csr
that command will prompt a few questions, it should look like:Country
Name (2 letter code) [AU]:US State or Province Name (full name)
[Some-State]:New York Locality Name (eg, city) []:Your town Organization
Name (eg, company) [Internet Widgits Pty Ltd]:Your Corporation
Organizational Unit Name (eg, section) []:IT Common Name (eg, YOUR name) []:www.mysite.com Email Address []:someone@mysite.com
the
Common Name is the most important field, that should be the exact
domain name for which you are requesting SSL, in most cases, it should
be "www.mysite.com". If you are buying for a subdomain, then it should
be something like "secured.mysite.com". If for wildcard, it should be
"*.mysite.com".
After you finish, you should have 2 files now, www.mysite.com.key and www.mysite.com.csr.
2. Buy the SSL on Godaddy (If you don't already have it)
Now goto godaddy's site, and buy the ssl. If it's for a new website, I
highly recommend to buy just one year version first. Their cheapest one
is just $19.99/year. The reason is you never know if the new site is
going to work out or not, or you may need to create secured subdomains a
few months later. Because of all these uncertainties, it's better just
to pay a tad more for one year only.
The process of buying SSL is quite involved:
- You pay for the SSL order first, and you get 1 ssl credit in Godaddy account.
- You configure the credit, and submit the whole body text from mysite.csr.
- Download the ssl, select type "other" in the dropdown, since we use nginx.
3. Install SSL on Nginx
Godaddy will email you the zip file, it contains 2 files: www.mysite.com.crt and gd_bundle.crt. You need to combine both files into one file, with your domain ssl file on top. so unzip the zip file and combine them.cat www.mysite.com.crt gd_bundle.crt > mysite_combined.crt
If
you don't combine them, browser will not be able to verify certificate
authority (CA), and popup dialog or warning messages, which will
certainly scare your site visitors away.
Now copy both combined crt and www.mysite.com.key files to your ssl folders on the server,
cp mysite_combined.crt ~/ssl/certs
cp www.mysite.com.key ~/ssl/private
then ask support the reload your vhost config.
