After installing the SSL certificate on the Nginx web server, you need to check if it is installed correctly.
I installed the SSL certificate two months ago. The Sectigo ECC certificate.
Now I change the certificate files.
Previously, I put the site SSL certificate file content and the SSL-bundle file altogether. The final SSL certificate file is 4.36KB. It includes three certificates. The guide is from Comodo official site. Sectigo site has a similar guide here.
Now, I remove the last one. Just keep the site certificate and the middle one. Total size is 3.01KB.
The certificate I deleted from the old file is for USERTrust ECC Certification Authority. It is already included in the Trusted Root CA list.
Then, I tested the new certificate file, which has two certificates only, on different online SSL checking tools.
Certificate for local system with Thumbprint be f9 b4 cd 1xxxxxxxx f4 df 51 is about to expire or already expired.
I did the search and find the way to solve this problem.
Before to do the following, I would like to make an announcement. It is just a warning. It will not affect your Windows System.
Right Click Start > Run > type mmc > press ENTER
On the File Menu > Click Add/Remove Snap-in > Click Certificates > Click Add
Click Computer Account > click Next
Click Finish > Click OK
In the console tree, Expand Certificates > Personal > Certificates
You should see the XBL Client IPsec Issuing CA
Right Click on it > All tasks > Export
Follow the Export Wizard > Export it as a x509 (.cer) > Give it a name (example: xbl-client-ipsec.cer)
Right Click on it > Delete > Confirm Delete
Close the mmc > Say NO when asked if you want to save Console
Now, the certificate is removed. This warning should not appear in the Event Viewer.
Now my Blog, David Yin Blog is https encrypted . And it is also HSTS enabled. And latest, it is HSTS preload enabled.
It has three layers meaning.
HSTS preload enabled.
Let me explain them one by one.
First, add https support. I did this step on Feb. 2016, when I announced that SSL added. I recorded how I get the SSL certificate and install it on Nginx web server.
After that, all content send back and force from my Blog to an audience is encrypted. Even ISP can not read the content from the data traffic.
Second, I add the HSTS into the Nginx configuration, to make it more secure.
What is HSTS?
HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol. HSTS is an IETFstandards track protocol and is specified in RFC 6797
Here is the guide to show you how to install the Comodo SSL certificate in Nginx.
Order Comodo Certificate. And received the Certificate files.
I don’t discuss how to get it, where to get it. It is another topic. You will receive following files. Positive SSL certificate, it is a zip file emailed to you. Unzip it and get four files.
Root CA Certificate – AddTrustExternalCARoot.crt
Intermediate CA Certificate – COMODORSAAddTrustCA.crt
Intermediate CA Certificate – COMODORSADomainValidationSecureServerCA.crt
Your PositiveSSL Certificate – www_example_com.crt (or the subdomain you gave them)
I just need your certificate and intermediate certificates. Root is already installed in every single computer or browser. The order of certificates is important.
Save this file into the place you want Nginx use
mv your_domain_crt.pem /etc/nginx/ssl/
Save your private key in the same place
Make sure your Nginx config file looks like below
listen 443 ssl;
# side note: only use TLS since SSLv2 and SSLv3 have had recent vulnerabilities
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Reload Nginx and check if it works by enter https://www.your_domain.com/