Nginx TLS — Practical Zero Trust
How to get and renew Nginx TLS certificates
Written September 15, 2021
Zero Trust or BeyondProd approaches require authenticated and encrypted communications everywhere. TLS is the cryptographic protocol that powers encryption for all your technologies. For TLS, you need certificates. This practitioner's tutorial provides instructions for automating Nginx TLS certificate renewal and enabling server-side encryption.
Try it
Create a private key and request a certificate
Before you can configure Nginx TLS, you will need a certificate issued by a trusted certificate authority (CA). If you already have a certificate, private key, and CA root certificate from your organization's existing CA, you can skip to the Nginx TLS configuration section below. If you need to generate a certificate, you can:
- Roll your own with open source
step-ca
To request a certificate from your CA using the step CLI, bootstrap your CA with step ca bootstrap and run the following command (sub the server name for the actual name / DNS name of your Nginx server).
step ca certificate "myserver.example.net" server.crt server.keyYour certificate and private key will be saved in server.crt and server.key respectively.
Request a copy of your CA root certificate, which will be used to make sure each application can trust certificates presented by other applications.
step ca root ca.crt
Your certificate will be saved in ca.crt.
Configure Nginx to use the certificate
In your Nginx configuration's server block, enable ssl for the listening socket and specify the locations of the server's certificate and private key. We'll also tell Nginx to use TLS protocols and our preferred ciphers:
server {
listen 443 ssl;
server_name myserver.example.net;
ssl_certificate /path/to/server.crt;
ssl_certificate_key /path/to/server.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
# ...
}
Send a reload signal to Nginx to apply your new configuration:
nginx -s reload
Test Nginx TLS configuration
To make sure Nginx is presenting a valid certificate, you can use the curl command, passing it your root certificate for use in verifying the server.
$ curl --cacert ca.crt https://myserver.example.net
HTTP/2 200
...Operationalize It
Select a provisioner
Smallstep CAs use provisioners to authenticate certificate requests using passwords, one-time tokens, single sign-on, and a variety of other mechanisms.
- ACME (RFC8555) is an open standard, used by Let's Encrypt, for authenticating certificate requests. To use ACME on a private network you need to run an ACME server. ACME is harder to setup, but has a large client ecosystem (some software even has built-in support).
- Other provisioners use the open source
stepCLI and do not require a local network agent. The instructions below focus on the JWK provisioner, but can be repurposed with small tweaks to operationalize all non-ACME provisioners.
To learn more, see Configuring step-ca Provisioners.
The right provisioner depends on your operational environment.
The JWK provisioner is the most general-purpose provisioner. It supports password and one-time token-based authentication. To add a JWK provisioner called nginx to a hosted Certificate Manager authority (if you haven't already), run:
step ca provisioner add nginx --type JWK --create --x509-default-dur 720hFor instructions on adding provisioners to open source step-ca, or to learn more about other provisioner types, see Configuring step-ca Provisioners.
Configure Nginx TLS Certificate Automation
We've created a systemd-based certificate renewal timer that works with step. Check out our documentation on Renewal using systemd timers for background on how these timers work.
To install the certificate renewal unit files, run:
cd /etc/systemd/system
sudo curl -sL https://files.smallstep.com/cert-renewer@.service \
-o cert-renewer@.service
sudo curl -sL https://files.smallstep.com/cert-renewer@.timer \
-o cert-renewer@.timer
The renewal timer will check your certificate files every five minutes and renew them after two-thirds of their lifetime has elapsed.
The cert-renewer@.service and cert-renewer@.timer files define a service unit template. Templates are never run directly, but we will run an instance of them for Nginx certificate renewals. That service will be called cert-renewer@nginx.service, which parallels the nginx.service unit name used by Nginx on systemd-based Linux distributions. Because the two units share this value in their name, the cert-renewer@nginx.service renewer will attempt to reload or restart nginx.service after it renews the certificate.
To start the renewal timer, run:
sudo systemctl daemon-reload
sudo systemctl enable --now cert-renewer@nginx.timerYou'll see that the timer is active, by checking the output of systemctl list-timers.
Distribute your root certificate to end users and systems
Once Nginx TLS is configured, you'll need to make sure that clients know to trust certificates signed by your CA. For certificates signed by a public CA (like Let's Encrypt), most clients already include the CA root certificate in their trust stores for certificate verification. But, for a private CA, you will need to explicitly add your CA's root certificate to your clients' trust stores.
The step CLI includes a utility command for this purpose on many systems:
step certificate install ca.crt
Rather than manually running the above for each machine that needs to trust your CA, most teams will use some form of automation to distribute the root certificate. Depending on your needs and your IT or DevOps team's approach, this may be a configuration management tool (like Ansible or Puppet), a Mobile Device Management (MDM) solution, or something else. Some examples:
- Use Ansible to add
ca.crtdirectly to theca-ceritficatesbundle on linux VMs so running applications trust the API servers they call - Bake
ca.crtdirectly into base Docker images for gRPC so gRPC clients can always reference the trusted CA - Store
ca.crtin a KubernetesSecretand inject it into an environment variable for access from application code - Use Jamf to install
ca.crtin the trust stores of every employee Macbook so their web browsers trust internal websites - Use Puppet to run
step certificate install ca.crton target machines that wantcurlto implicity trust the CA - Store
ca.crtin a KubernetesConfigMapand mount it to pods for reference on the filesystem
Alternatively, many clients support passing the CA root certificate as a flag or argument at runtime.
Contribute to this document
The Practical Zero Trust project is a collection of living documents detailing TLS configuration across a broad spread of technologies. We'd love to make this document better. Feel free to contribute any improvements directly on GitHub.
Subscribe to updates
Unsubscribe anytime. See our privacy policy.
© 2023 Smallstep Labs, Inc. All rights reserved.