This document provides guidance on how to install a National Cryptography Standard SSL certificate on an Nginx server.
Note
The Nginx version nginx/1.18.0 is used as an example.
The certificate name cloud.tencent.com is used as an example.
The current server OS is CentOS 7. Detailed steps vary slightly with the OS version.
Before installing the SSL certificate, please enable port "443" on the Nginx server to ensure that HTTPS can be enabled after the certificate installation. For more details, refer to How to Open Port 443 on a Server?
For detailed directions on how to upload SSL certificate files to a server, see Copying Local Files to CVMs.
Preparations
A remote file copy tool such as WinSCP has been prepared. It is recommended to download the latest version from the official website. If you need to deploy to Tencent Cloud Server, it is suggested to use the file upload function of the cloud server. For more details, please refer to Uploading Files to Cloud Server.
Install the remote login tool such as PuTTY or Xshell.
A National Cryptography Standard (SM2) SSL certificate has been purchased.
The data required to install the SSL certificate includes:
Name
Note
Server IP address
The server IP address, which is used to connect the PC to the server.
Username
The username used to log in to the server.
Password
The password used to log in to the server.
Note
For a CVM instance purchased on the Tencent Cloud official website, log in to the CVM console to get the server IP address, username, and password.
Instructions
Environment configuration
Note
To install a National Cryptography Standard SSL certificate on an Nginx server, the server must have the relevant environment support module. The following will guide you through the process of compiling and configuring an Nginx server that supports National Cryptography Standard SSL certificates.
The directories mentioned in the following steps are the directories of the test environment. Determine their specific paths based on your actual environment and needs.
1. Log in to the Nginx server remotely, for instance, using the "PuTTY" tool.
2. Install Compilation Tools: If your system is brand new, please first install the C++ development environment, pcre-devel, and zlib-devel software on the server to provide environmental support for compilation. You can use the following commands for installation.
#Setting up C++ Development Environment
yum install -y gcc gcc-c++
#Install pcre-devel
yum install pcre-devel -y
#Install zlib-devel
yum install zlib-devel -y
3. Download and compile Nginx: You can download the Nginx National Cryptography version and module to the server and compile and install them by entering commands in the following order on the server. Due to differences in operating system versions, the detailed operation steps may vary slightly.
Note
Using nginx-1.18.0 as an example, the directory is /usr/local. Please determine according to your actual environment and needs.
Please do not modify the National Cryptography module filename wotrus_ssl.tar.gz during decompression and installation, as it may lead to installation errors.
4. If you encounter an error make[1]: *** [/usr/local/wotrus_ssl2.0/.openssl/include/openssl/ssl.h] Error 127 during the compilation process, you need to navigate to the nginx-1.18.0/auto/lib/openssl directory and edit the conf file. The following content needs to be modified:
5. After saving the file, execute make clean to clear the compilation configuration. Then, re-enter the nginx-1.18.0 folder and execute ./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-stream --with-http_ssl_module --with-stream_ssl_module --with-openssl=/usr/local/wotrus_ssl2.0 and make && make install.
Installation of National Cryptography Standard Certificate
1. You have downloaded and decompressed the cloud.tencent.com certificate file package from the SSL Certificate Service Console to a local directory. After decompression, you can obtain the relevant type of certificate files. This includes the Nginx directory and CSR files:
The CSR file, either uploaded by you or generated online by the system during the certificate application, is provided to the CA. This file can be disregarded during installation.
2. Log in to the Nginx server using "WinSCP", a tool for copying files between local and remote computers.
We recommend using the file upload feature of the Cloud Virtual Machine (CVM) for deployment to Tencent Cloud CVM. For more details, please refer to Uploading Files to CVM.
3. Navigate to the /usr/local/nginx/conf directory, create a new sm2 directory, and copy the obtained certificate files 1_cloud.tencent.com_sign_bundle.crt, 2_cloud.tencent.com_encrypt_bundle.crt, and the private key file 3_cloud.tencent.com.key from the local directory to this sm2 directory.
4. Navigate to the /usr/local/nginx/conf directory, edit the nginx.conf file, and add the following configuration:
#First, configure the signing certificate, then the encryption certificate. The private key for both the signing and encryption certificates is the same!
The above configuration content is for reference only. Please configure the specific certificate name, certificate directory, location, and other settings according to your actual environment.
5. Please verify the configuration file issues by executing the following command.
/usr/local/nginx/sbin/nginx -t
If Syntax OK is displayed, it indicates that the configuration is correct and the Nginx server can be started.
If the message is not Syntax OK, please reconfigure or modify according to the prompts to resolve the issue.
6. Restart the Nginx server and then you can access it through https://cloud.tencent.com.
If the security lock icon is displayed in the browser, the certificate has been installed successfully. The details are as shown below:
In case of a website access exception, troubleshoot the issue by referring to the following FAQs:
Optional dual installation of International Standard Certificate and National Cryptography Standard Certificate
If you need to resolve browser compatibility issues by installing both an international standard certificate and a National Cryptography Standard certificate, you can do so by following these steps:
Note
Tencent Cloud offers free DV SSL certificates to users who have purchased the National Cryptography Standard DNSPod certificate to smoothly resolve browser compatibility issues. For certificate application, please refer to Free DV SSL certificates.
1. Utilize WinSCP (a tool for copying files between a local and a remote computer) to transfer the 1_root_bundle.crt certificate file and the 2_cloud.tencent.com.key private key file from the Nginx folder in the obtained international standard certificate zip package, from the local directory to the /usr/local/nginx/conf/sm2 directory on the Nginx server.
We recommend using the file upload feature of the Cloud Virtual Machine (CVM) for deployment to Tencent Cloud CVM. For more details, please refer to Uploading Files to CVM.
2. Edit the ssl.conf file in the /usr/local/nginx/conf directory.
3. Locate server_name cloud.tencent.com and start a new line beneath it, then add the following content:
The above configuration content is for reference only. Please configure the specific certificate name and certificate directory according to the actual environment.
4. Execute the following command to validate configuration file issues.
/usr/local/nginx/sbin/nginx -t
If Syntax OK is displayed, it indicates that the configuration is correct and the Nginx server can be started.
If the message is not Syntax OK, please reconfigure or modify according to the prompts to resolve the issue.
5. Restarting the Nginx server can resolve browser compatibility issues.
Note
If anything goes wrong during this process, please contact us.
