Hi all,

I have recently purchased a wildcard class2 SSL certificate from StartSSL and have downloaded the PFX file for the same.

Since I am going to be using it with NGINX, here is what I did :

1. Obtain the cert in *.pem format
openssl pkcs12 -in mydomain.pfx -nokeys -out mydomain.pem

2. Get the key
openssl pkcs12 -in mydomain.pfx -out mydomain.key -nocerts -nodes

3. Then follow instructions according to https://www.startssl.com/?app=42 Using class 2 instead of class 1
When I attempt to test it, my browser throws a security error!

Invalid Server Certificate
You attempted to reach www.reva.regsys.actzz.com, but the server presented an invalid certificate.


Please tell me where I am going wrong, no idea how to proceed now. (Please note that it is a wildcard certificate)
Thanks.

I take it that nginx -t validates the cert/key pair OK, and that you've *appended* the necessary intermediate certs onto the end of the original mydomain.pem?

What's the domain as shown by...
openssl x509 -in mydomain.pem -text -noout

( that's your original cert, not the one with the intermediate certs added )

EDIT: Actually those instructions are (maybe) out of date. If you want to share the ssl/non-ssl config in the same server block, just double up the listen... eg


listen 192.168.1.1:80;
listen 192.168.1.1:443 default ssl;

and don't use the ssl on; directive.

Much simpler.



Edited 1 time(s). Last edit at 12/05/2012 12:09AM by GreenGecko.

hi GreenGecko,

No. the command nginx -t throws a "key values mismatch" error. I have 5 files downloaded from StartSSL, namely :

1. ca-bundle.pem
2. ca.pem
3. sub.class2.client.ca.pem
4. sub.class2.code.ca.pem
5. sub.class2.server.ca.pem

of which I have identified that (2) and (5) are the Root cert and intermediate cert respectively.

Which leaves me with (1), (3) and (4) to be the issued cert, none of which provide me with the registered domain name when I run the command : openssl x509 -in mydomain.pem -text -noout

Im kind of lost as this is the first time I am using Nginx & also the first time I am installing an SSL cert. I have tested with the self generated SSL certs and it works fine with my config. So the dependency is with My actual purchased certs now.

p.s. I have referred to http://www.startssl.com/?app=42 but Im not able to get things going.