I have to add ssl (https) for a website, I was given a SSL.CSR and a SSL.KEY file. I 'dos2unix'ed them (because they have trailing ^M) and copied them to the server(CSR -> mywebsite.crt, KEY -> mywebsite.key). I did the following modification to nginx.conf:
@@ -60,8 +60,13 @@
}
server {
- listen 80;
+ listen 443;
server_name ...;
+ ssl on;
+ ssl_certificate mywebsite.crt;
+ ssl_certificate_key mywebsite.key;
+ ssl_session_cache shared:SSL:10m;
+ ssl_session_timeout 10m;
# Set the max size for file uploads to 500Mb
client_max_body_size 500M;
Error happens when I restart nginx:
nginx: [emerg] PEM_read_bio_X509_AUX("/etc/nginx/mywebsite.crt") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
I figure it's because the first line of mywebsite.crt file contains 'REQUEST', so I remove 'REQUEST' from the first and last of the lines, and restart nginx again, and hit another error:
nginx: [emerg] PEM_read_bio_X509_AUX("/etc/nginx/mywebsite.crt") failed (SSL: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:Field=algorithm, Type=X509_ALGOR error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:Field=signature, Type=X509_CINF error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:Field=cert_info, Type=X509 error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib)
Any idea?
You should never share your private key. You should consider the key you posted here compromised and generate a new key and signing request.
You have a certificate request and not an actual signed certificate. You provide the request ('CSR') to the signing party. They use that request to create a signed certificate ('CRT') which they then make available to you. The key is never disclosed to anyone.