Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


Install a certificate for Nginx

Generating a private key and a CSR

You can use our CSR and private key generation documentation for Openssl.

Certificate installation

The installation is practically similar to Apache 2.4.8+ (Install an Apache certificate), but the instructions change.

  1. Download your certificate and the associated certification chain in PEM format:
    Access the status page of your certificate at TBS INTERNET (in your account or delivery email), then click on the button "See the certificate".
    Select "See the certificate in X509 format with its chain" to download the file pem-XXXXXXXXXX-XXXXXXX.pem

  2. Configure nginx with:
    server {
        listen               443;
        server_name          www.example.com;
        ssl                  on;
        ssl_certificate      \path\to\pem-XXXXXXXXXX-XXXXXXX.pem;
        ssl_certificate_key  \chemin\vers\votre_clé_privée.key;
        ssl_protocols        TLSv1.2 TLSv1.3;
        ssl_ciphers  ECDH+AESGCM:ECDH+AES256-CBC:ECDH+AES128-CBC:DH+3DES:!ADH:!AECDH:!MD5;
        ssl_prefer_server_ciphers on;
        ssl_ecdh_curve secp384r1; #courbe ECDH
    
        ...
    }
    
N.B.:
If you see that kind of message on Google Chrome: "This site uses a weak security configuration (SHA-1 signatures), so your connection may not be private." check your ssl_ciphers or ssl_protocols configuration.

If you are having compatibility issues with your browser, you can attempt to use this value of ssl_ciphers: ssl_ciphers !EDH:!RC4:!ADH:!DSS:HIGH:+AES128:+AES256-SHA256:+AES128-SHA256:+SHA:+3DES!NULL:!aNULL:!eNULL;

Security recommandation

  • We recommand to generate unique dh groups on your machine in order to enhance its security level. To do this, run the following command line and place its result in a folder accessible by the web server:
    openssl dhparam -out dhparams.pem 2048

    Add the following line to your configuration:
    ssl_dhparam /chemin/vers/votre/dhparams.pem;
  • We recommend choosing a strong elliptic curve for ECDH key exchange by adding the following line:
    ssl_ecdh_curve secp384r1;	
  • Activate OCSP Stappling on nginxto accelerate your site loading while enhancing its security.
  • Activate HSTS support to protect your users from MITM attacks.
We recommend you to secure your frames and MIME sniffing with those headers:
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

Notices

  • If you want to allow session resumption, you must configure a session duration and a timeout at the server level. For that, add these lines to your global configuration:
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    

Useful links