Friday, October 10, 2014

Nginx and Extended Validation SSL Certificates

Quick tip on setting up Nginx with Extended Validation (EV) SSL certificates since this took a bit of trial and error for me this morning and I found a lot of conflicting and in some cases incorrect information while searching around.

If after configuring Nginx with your SSL certificate you're getting an untrusted certificate error, or a 400 error saying the certificate wasn't sent, you're likely missing the intermediate certificate bundle that's required on EV certificates, which if you use Verisign certs is located here:

According to the Nginx documentation (pro tip: start with the docs, not with what you pull up on StackOverflow), you need to concatenate your host-specific SSL certificate and the intermediate certificate bundle into a single file, with the host-specific SSL certificate first in the file. So you'll end up with a single file (foo.crt) that contains three certificate blocks, and just make sure the one for your host (i.e. the one that goes with your key) comes first.

Once I had all that in place the browser was happy with what Nginx was giving it as far as SSL is concerned.

No comments: