How to create SSL certificate for NGIX and configure SSL

Modified on Wed, 30 Jun, 2021 at 11:37 AM

Quick Overview

This article provides step by step guide on how create a SSL Certificate and switch OPSWAT MD Core v4 to HTTPS.

  1. Create Web Server Certificate Template

  2. Prepare certificate request with OpenSSL

  3. Convert the CA Signed Certificate from DER Encoded to PEM.

  4. Configure SSL on OPSWAT MD Core v4

if you want to use install and use OpenSSL on windows you can follow this guide Install OpenSSL


To create, prepare and configure a certificate from scratch - follow steps 1-3 and 5. To use and configure an existing certificate (.pfx), follow steps 4-5. 


1. Create Web server Certificate Template

a. in the Certificate Authority Server open certsrv.msc tool:

b. Make sure you have a Web server template with both Server Authentication and Client Authentication like shown in the picture (Relevant for Kiosk Integration), if you do you can skip to step 2, if you Don't continue to step 1.c.

c. Open Certificate Templates and choose "Manage"

d. Choose the certificate template you want to base you'r template on and choose "Duplicate Template"

e.Under General Tab, choose how to name you'r new certificate template

f. Under Extensions Tab, choose "Edit" and then "Add" and choose "Client Authentication", then save you'r template changes.

g. Back in certsrv.msc tool, choose "Certificate Templates", "New" and "Certificate Template to issue"

i. Choose the template you just created and it will be added to the Certificate Templates.


2. Prepare Certificate Request with OpenSSL

open Terminal or CMD window in the directory of the openssl exacutable, and enter

openssl.exe

a. first create a private key to be used with the certificate with the following line, this will generate the private key

* the recommended length of the key is 2048 for optimal performance, but stronger keys are supported.


genrsa -out certificate.key 2048

           

b. Create the CSR, the certificate request file and fill in the certificate details:

* Common Name: Must be the Server name exactly (NOT FQDN).

req  -key certificate.key  -new -out certificate.csr

* the fields marked in blue needs to be changed per costumer and server.

c. Open the newly created certificate.csr file in notepad or any other editor and copy the entire text from "Begin of Certificate Request" to "End of Certificate Request"

2. Submit the Certificate Request for Signing

a. Open the CA Certsrv Web Enrollment Web Page: https://CAServer/certsrv, and choose the Request A Certificate task.

b. Choose "submit an advanced certificate request"

c. Paste the CSR text, and choose the Certificate Template you want to use, or have created in step 1c.

* the Additional Attributes is an optional way to add Subject Alternitive Name to the certificate, however you need to make sure the CA supports this option before you make the request.

if you can use the Additional Attributes to add SAN this is the correct Syntax:

SAN:dns={dnsName1};dns={dnsName2WithFQDN};ipaddress={IPAddress}
Example: SAN:dns=ops-v4-win;dns=ops-v4-win.bulwarx.lab;ipaddress=192.168.20.160


d. Download the DER Encoded Certificate

* If the server is not in the domain, you will also need to download the Certificate Chain and install it in the Certificate Authority store of the server, for more information see this guide: Manage Trusted Root Certificates

3. Convert the CA Signed Certificate from DER Encoded to PEM.

a. Copy the downloaded .cer to the OpenSSL bin folder and change it's name to certificate.cer

b. use OpenSSL to convert to encoding of the certificate to PEM.

x509 -inform der -in certificate.cer -out domain.crt


c. copy the newly created certificate.crt and the certificate.key you created in step 2 to the NGIX\OPSWAT Server.

4. Extract the private key and the certificate from a .pfx file

If you already have a certificate with a private key (.pfx file), you need to extract its private key and the certificate file without the private key from it. openssl must be installed on the server in order to perform these tasks. 

a. Import the pfx file to the machine's Local Certificate Store:  

  1. Double-click on the .pfx file | Store Location - Local Machine 
  2. Press next twice. You'll be prompted to enter the password. You can choose whether this certificate will be exportable or not

              3. Press next in all of the following windows. 



b. Extract the private public keys

  1. open cmd, navigate to the openssl installation folder and run the following command: 
    • openssl pkcs12 -in <full path of the pfx file> -nocerts -out certificate_temp.key
    • openssl rsa -in certificate_temp.key -out certificate.key
    • delete the certificate_temp.key file
    • copy the certificate.key to the <OPSWAT Installation Directory>/nginx
  2. open cmd, navigate to the openssl installation folder and run the following command: 
    • openssl pkcs12 -in<full path of the pfx file> -clcerts -nokeys -out certificate.crt
    • copy the certificate.cert to the <OPSWAT Installation Directory>/nginx

*     to convert the other way around (crt and key to pfx) use the following command:

openssl pkcs12 –export –out certificate.pfx –inkey rsaprivate.key –in certificate.crt –certfile fileca.crt



5. Configure SSL on OPSWAT MD Core v4.

a. Create a new ssl.conf file and edit it with the following lines (with the relevant directories.)

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on; 
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1;
ssl_session_timeout  10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;

ssl on;
ssl_certificate "D:/Certificates/XXXXX.fullchain.cer";
ssl_certificate_key "D:/Certificates/XXXXX.key";
ssl_dhparam "D:/Certificates/dhparam.pem";

resolver_timeout 5s; 

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";


b. Save the file to the OPSWAT installation folder under the directory of NGIX (Example: D:\Program Files\OPSWAT\Metadefender Core\nginx)

c. Change the registry key of "restport" to 443

* registry key is under:

HKEY_LOCAL_MACHINE\SOFTWARE\OPSWAT\Metascan\global

d. Restart "OPSWAT Metadefender Core" Sevice.

e. Make sure the service is up and surf to the newly HTTPS Server (Example: https://ops-v4-win)



Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article