Want more timely Centmin Mod News Updates?
Become a Member

SSL How to install dual ecdsa + rsa ssl

Discussion in 'Domains, DNS, Email & SSL Certificates' started by pdinh97qng, Jun 21, 2018.

  1. pdinh97qng

    pdinh97qng Member

    64
    7
    8
    Jan 24, 2016
    Ratings:
    +15
    Local Time:
    2:25 PM
  2. eva2000

    eva2000 Administrator Staff Member

    41,288
    9,263
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,214
    Local Time:
    7:25 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    There's generally 3 ways of setting up HTTPS SSL certificate for Centmin Mod Nginx HTTP/2 based HTTPS. You're interested in using a paid SSL provider like Comodo, so Method 1 would be used. With dual RSA/ECDSA ssl certificates like in linked guide at SSL - Nginx 1.11.0 introduces dual ECDSA + RSA SSL certificate support !, you need to obtain 2 ssl certificates:
    1. First SSL cert is traditional RSA 2048bit SSL that normal Comodo SSL certs are due to you generating a RSA 2048bit ssl private key and CSR file and providing that CSR file to your SSL provider who issues a SSL cert that is RSA 2048bit. For generating ssl private/CSR file you can use online wizard at OpenSSL CSR Tool - Create Your CSR Faster | DigiCert.com and key size select = RSA 2048bit. Wizard based on your inputs i.e. common name = domain name, will generate an openssl command which you run within your server's SSH session to generate the private key and CSR file - both need to be kept safe only providing the CSR file to your SSL provider for SSL cert issuance. Once SSL provider gives your your SSL certificate files, then go through below linked concatentation of SSL provider files to setup Nginx vhost and steps outlined in Method 1 links
    2. Then second SSL cert, you need to generate a 2nd private key and CSR file but the private key must be generated via ECC 256bit ECDSA instead and the resulting CSR file is provided to your SSL provider who issues a SSL cert that is ECC 256bit ECDSA based. For generating ssl private/CSR file you can use online wizard at OpenSSL CSR Tool - Create Your CSR Faster | DigiCert.com and key size select = P-256. Wizard based on your inputs i.e. common name = domain name, will generate an openssl command which you run within your server's SSH session to generate the private key and CSR file - both need to be kept safe only providing the CSR file to your SSL provider for SSL cert issuance. Once SSL provider gives your your SSL certificate files, then go through below linked concatentation of SSL provider files to setup Nginx vhost and steps outlined in Method 1 links
    3. This means you need to purchase 2x Comodo SSL certificates one for RSA 2048bit and one for ECC 256bit ECDSA ssl certs.
    Method 1. The traditional way via centmin.sh menu option 2, 22 and selecting yes to self-signed ssl certificates first. Then converting the self-signed ssl certificate to paid or free (Letsencrypt) web browser trusted SSL certificates outlined at How to switch self-signed SSL certificate to paid SSL certificate ? You would still need to follow the same steps outlined at Nginx SPDY SSL Configuration for obtaining and purchasing the paid SSL certificate and most important part is the concatenation of the SSL provider provided files to create the mentioned /usr/local/nginx/conf/ssl/domaincom/ssl-unified.crt and /usr/local/nginx/conf/ssl/domaincom/ssl-trusted.crtfiles referenced in your Nginx SSL vhost config file.

    You may need to also decide if you want to enable HTTP to HTTPS redirect outlined at How to force redirect from HTTP:// to HTTPS:// ?

    If you didn't answer yes at time of initial nginx vhost creation to self-signed ssl certificates, you can manually setup the self-signed ssl certificate via the vhost generator by checking self-signed ssl box and enter a domain name. This will outline instructions for manually creating and setting up self-signed ssl certificate and nginx vhost settings. Then for web browser trusted ssl certificates you switch follow - How to switch self-signed SSL certificate to paid SSL certificate ?.

    Method 2. Using and testing Centmin Mod 123.09beta01's new addons/acmetool.sh addon which is still in beta testing only for integrating Letsencrypt SSL certificates. And has both auto and manual methods.

    Method 3. Fully manual method for free Letsencrypt SSL certificates.
    Note:
    • For wordpress auto installer, you actually need a read method 2 to enable LETSENCRYPT_DETECT='y' then run centmin.sh menu option 22 which will detect letsencrypt support and display the additional letsencrypt prompts required to issue free letsencrypt ssl certificates for wordpress auto installer