How to add an SSL Certificate

Notice

This documentation set has been merged with the Maestro Version 2 documentation and is officially deprecated. These pages will be redirected to their equivalents in that doc set within the next few weeks.

Certificate signing request

To generate a key and certificate signing request, follow the steps below.

  1. Generate a private key through your command line, without specifying a passphrase:
  2. Create a certificate signing request and enter your information as requested:
  3. Provide this CSR file to your certificate authority, who will in turn provide you with a certificate (CRT) file.
  4. Use the original .key file together with this .crt file on Cloud 66.

Important

You cannot use passphrase protected certificate keys with Nginx. Learn how to remove the passphrases from certificate keys.

Intermediate certificates

Some SSL certificate authorities (CA), like RapidSSL, issue certificates that are not fully compatible with all devices (specifically Android devices). This is because they are not the ultimate CAs and usually act as a reseller for other authorities (like VeriSign).

Cloud 66 supports these CAs fully by allowing you to add the intermediate certificate separately into the SSL certificate add-in form.

Multi-domain certificates

When installing multi-domain certificates, certificate authorities such as Comodo typically send you four files:

  1. Root CA Certificate - AddTrustExternalCARoot.crt
  2. Intermediate CA Certificate - COMODORSAAddTrustCA.crt
  3. Intermediate CA Certificate - COMODORSAExtendedValidationSecureServerCA.crt
  4. Your COMODO EV Multi-Domain SSL Certificate - 14637732.crt

To use these, you have to concatenate all files except for the last one (the certificate):

$ cat COMODORSAExtendedValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > bundle_file

Separate domains with different certificates

If this doesn't work make sure that your certificates don't need password.

You may need to serve different parts of your application on separate domains, each with its own SSL certificate. You can use Nginx CustomConfig to set this up - you will basically have two server blocks listening on different domains, and serving different certificates (located on the server):

{% if allow_ssl == true %}

# main domain
server {
listen 443;
ssl on;
ssl_certificate_key /etc/ssl/localcerts/certificate_name_1.key;
ssl_certificate /etc/ssl/localcerts/certificate_name_1.crt;
server_name server_name_1.com;
client_max_body_size 50m;
...
}
# secondary domain
server {
listen 443;
ssl on;
ssl_certificate_key /etc/ssl/localcerts/certificate_name_2.key;
ssl_certificate /etc/ssl/localcerts/certificate_name_2.crt;
server_name server_name_2.com;
client_max_body_size 50m;
...
}