1. Confirm the domain name that needs to apply for the certificate.
2. Generate a private key and csr file.
On a Linux machine, run the following command to generate a private key:
#openssl genrsa -out server.key 2048
On a Linux machine, run the following command to generate a csr file:
#openssl req -new -key server.key -out certreq.csr
The text in bold is only for reference and should be replaced by the merchant based on actual conditions.
Country Name: CN //The ISO code for your country. The code for China is CN.
State or Province Name:guandong //The province/autonomous region/municipality directly under the Central Government where your organization is located
Locality Name:shenzhen //The city/county/district where your organization is located
Organization Name:Tencent Technology (Shenzhen) Company Limited //The legal name of your organization/institution/company
Organizational Unit Name: R&D //Department name
Common Name: www.example.com //Common name, such as www.itrus.com.cn. This item must be identical with the domain name used to access the server providing SSL services.
Email Address: //Your email address (Not required. Press Enter to
skip this). "extra"attributes //The following information is not required. Press Enter to skip this until the command is executed.
After the command above is executed, the private key file server.key and the csr file certreq.csr are generated in the current directory.
3. Submit the generated csr file to a third-party certificate issuing institution to apply for the server certificate for the corresponding domain name, and save the private key file properly.
4. After you apply for the certificate, the certificate issuing institution will provide the server certificate content and two intermediate CA certificates. Follow the instructions provided by the certificate issuer to generate the server certificate. Here, we assume that the name of the server certificate file is server.pem.
5. Copy the generated private key file server.key and the server certificate server.pem to the directory specified by the server. Now, you can configure the HTTPS server.
server {
listen 443; #Specify the SSL listener port
server_name www.example.com;
ssl on; #Enable SSL support
ssl_certificate /etc/nginx/server.pem; #Specify the server certificate path
ssl_certificate_key /etc/nginx/server.key; #Specify the private key certificate path
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #Specify the protocol versions supported by the SSL server
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; #Specify the encryption algorithm
ssl_prefer_server_ciphers on; #When using SSLv3 and TLS protocols, the
specified server encryption algorithm takes precedence over the client encryption algorithm
#The following content is only for reference and should be configured according to the actual domain name.
location / {
return 444;
}
}
Refer to the document: Server Certificate Configuration Guide
1. Certificate issuing institution
We recommend iTrusChina. For more information, see
2. Reference documents:《ngx_http_ssl_module》
Nginx Configuration for HTTPS Servers
Server Certificate Configuration Guide
3. FAQ
1. Certificate trust issue
Some SSL certificates issued in China are not trusted by Android devices. We recommend GeoTrust.
2. If the page uses static/dynamic separation and the static resources have an independent domain name, you must also apply for a certificate for this domain name.
3. Older Android versions do not support SNI extension. Due to this limitation, a server can only deploy one digital certificate.
Customer Service Tel
Business Development
9:00-18:00
Monday-Friday GMT+8
Technical Support
WeChat Pay Global
ICP证