Note:

Use OCI Certificates to Issue an Internal Certificate and Host a TLS/SSL Protected Website on Nginx Server

Introduction

In this tutorial, we describe how to use Oracle Cloud Infrastructure (OCI) Certificates to issue an internal certificate to host a Transport Layer Security (TLS)/Secure Sockets Layer (SSL) protected website on Nginx server. OCI Certificates is a service for creating and managing TLS certificates. The service enables organizations to create private Certificate Authority (CA) hierarchies and TLS certificates that can be deployed and renewed automatically in the customer tenancy, integrated with OCI services such as OCI Load Balancer and OCI API Gateway. We can also use this service to generate certificates for our internal web servers hosted on Nginx.

To enable TLS/SSL encryption on your Nginx server, you need an TLS/SSL certificate. The Certificate Signing Request (CSR) is a request sent to a CA to obtain a certificate. The CSR contains information about your organization and the domain for which you are requesting the certificate. This information is verified by the CA before issuing the TLS/SSL certificate. Verifying this information ensures that the certificate is issued to the rightful owner of the domain. When you create a CSR, you also generate a private key. This private key is used to decrypt data encrypted with the corresponding public key. It is crucial to generate this key securely and keep it safe.

Objectives

Prerequisites

Task 1: Install OCI CLI on OCI Compute Instance

Task 2: Create a Certificate Authority (CA) in OCI

Create a Certificate Authority (CA) using the OCI Certificate service which will be used to issue internal certificates for our website. For more information about CA configuration, see Creating a Certificate Authority.

Or

Create a CA using OCI CLI. Use the oci certs-mgmt certificate create-certificate-issued-by-internal-ca command and required parameters to create a root CA. For more information, see create-certificate-issued-by-internal-ca.

Command Format:

oci certs-mgmt certificate-authority create-root-ca-by-generating-config-details --compartment-id <compartment_OCID> --name <CA_display_name> --subject <CA_subject_information> --kms-key-id <Vault_encryption_key_OCID>

Sample Command:

oci certs-mgmt certificate-authority create-root-ca-by-generating-config-details --compartment-id ocid1.compartment.oc1..aaaaaaaaxxx --name MyRootCA --subject file://subject.json --kms-key-id ocid1.key.oc1.iad.abcxxxxx

Note: Subject is a complex type whose value must be valid JSON. The value can be provided as a string on the command line or passed in as a file using the file://path/to/file syntax.

Sample subject.json File.

subject.json
{
  "commonName": "MyRootCA"
}

Task 3: Create a Certificate Signing Request (CSR) using OpenSSL

Create a CSR on the Nginx server, which will also create a private key on the same server. This is a recommended approach that provides us with a standardized way to send the CA on your public key as well as some information that identifies your company and domain name. Generating the CSR directly on the Nginx server allows you to seamlessly integrate the TLS/SSL certificate once it is issued.

  1. Navigate to cd /etc/pki/tls/private/.

  2. Create a file named mywebsitecert.cnf to specify parameters such as subject alternative name (SAN) for which you are requesting the certificate.

    Note: The SAN extension enables the attachment of additional identities, such as domain names or IP addresses, to the certificate subject. The use of the SAN extension is standard practice for SSL certificates, and it is on its way to replacing the use of the common name.

    Sample File:

    [req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
C = IN
ST = Telangana
L = Hyd
O = OU
CN = www.mywebsite.com

[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = mywebsite.com
IP.1 = 1.2.3.4

  3. Use the following command to create a CSR.

    You will need to provide mywebsite.csr file to a CA to get your SSL certificate. They will use this to generate the SSL certificate for your domain. It uses the configuration already supplied through the mywebsitecert.cnf file.

    Keep the private.key file secure because it is used to decrypt data encrypted with the corresponding public key.

    openssl req -out mywebsite.csr -newkey rsa:4096 -nodes -keyout private.key -config mywebsitecert.cnf

Task 4: Create a Certificate using the CA

To create a new certificate using the OCI CLI, you will need the .pem of the certificate to be installed on the Nginx server.

  1. Convert the format of the csr file to .pem format.

    openssl req -inform DER -in mywebsite.csr -out mywebsite.pem

  2. Run the following command to create a certificate.

    Command Format:

    oci certs-mgmt certificate create-certificate-managed-externally-issued-by-internal-ca --compartment-id  <compartment_OCID>  --csr-pem <csr_pem> --issuer-certificate-authority-id <CA_OCID> --name <Certificate-name>

    Sample Command:

    oci certs-mgmt certificate create-certificate-managed-externally-issued-by-internal-ca --compartment-id ocid1.compartment.oc1..aaaaaaaaxxx --csr-pem mywebsite.pem --issuer-certificate-authority-id ocid1.certificateauthority.oc1.iad.aaaxxxx
--name mywebsite.com

Task 5: Download the Certificate and Certificate Chain

The certificate pem files can be obtained directly from the OCI Console, navigate to Identity and Security, Certificates, Certificate, View Content and download the content of certificate-pem and certificate-chain-pem.

Create a single file by combining the content from both the files, certificate-pem at the top and certificate-chain-pem at the bottom of the file. You can name it as ca_certificate.pem.

Or

You can also fetch the certificate from OCI CLI using the following command.

Command Format:

oci certificates certificate-bundle get --certificate-id <Certificate_OCID> > certificate.crt

Note: Copy the Oracle Cloud Identifier (OCID) of the certificate.

Task 6: Install and Configure the Nginx Server with the Certificate

  1. Install Nginx on a compute instance. For more information, see Install Nginx.

  2. Open a web browser and access the webpage using https://your-server-ip. Check for any security warnings or errors that might be displayed by the browser.

    Image

    It displays a security warning, so we need to install the certificate and modify the conf file on Nginx server.

  3. Copy the downloaded certificate.pem and ca_certificate.pem files from OCI Console or OCI CLI to your Nginx server.

  4. Configure your Nginx server by editing its configuration file, located at /etc/nginx/conf.d.

    Image

  5. Restart the Nginx server.

Task 7: Test if HTTPS is Working

We have placed the CA certificate (ca_certificate.pem) in the trusted root certification authority folder on the local machine, certificate store on our client machines used to access this website. This is done because CAs created by OCI Certificates are private CAs and hence are not trusted by the browsers, so we need to add the root CA and intermediate CA (if used) in the Trusted Root Store or Intermediate Store on all the local machines trying to access the website.

Open a web browser and access the webpage using https://your-server-ip. You should now observe that the webpage is being served with a valid TLS certificate, and any security warnings or errors encountered earlier should be resolved.

Image

Image

By following these tasks, you ensure that your Nginx server is properly configured with the internal CA certificate, and clients can securely access the webpage over HTTPS.

Acknowledgments

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.