Linux Harbour

Open Source Technology Media

Linux

How to install Hongkong Post SSL e-Cert on Nginx web server

We installed a Hongkong Post e-Cert (Server) on the Nginx web server of our client successfully. Hongkong Post provides a 9-digit PIN envelope reference number and a 16-digit e-Cert PIN password to our client.

In this example, we assume that www.linuxharbour.com is the hostname of the web server.

First, OpenSSL is used to build Certificate Signing Request (CSR)。

$ openssl req -new -newkey rsa:2048 -nodes -keyout linuxharbour.key -out linuxharbour.csr
Generating a 2048 bit RSA private key

…………………………………+++
..+++
writing new private key to ‘linuxharbour.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:HK
State or Province Name (full name) [Some-State]:Hong Kong
Locality Name (eg, city) []:Hong Kong
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linux Harbour
Organizational Unit Name (eg, section) []:Web Team
Common Name (e.g. server FQDN or YOUR name) []:www.linuxharbour.com
Email Address []:[email protected]

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Then, the e-Cert hostname, reference number, and PIN password should be inputted through Hongkong Post e-Cert (Server) CSR Submission web page. The e-Cert applicant details should be checked on the next page.
After the e-Cert applicant details are confirmed, the content of the CSR file (eg. linuxharbour.csr) should be pasted to the text area field of the CSR submission web page.
Next, the web page shows the SSL cert details which will be built soon, please check the details and click Accept.
After clicking Accept, Hongkong Post e-Cert website will product SSL e-Cert for your hostname, please click item 1 to download the “Hongkong Post e-Cert (Server)” certificate, please keep this file with your CSR and key files generated by OpenSSL.
When e-Cert is ready, SSL configuration should be added at Nginx web server according to the following example.
Setup Hongkong Post e-Cert (Server) in Nginx
First, copying the content of e-Cert to file /etc/ssl/certs/linuxharbour.pem (eg. linuxharbour.pem). The content of e-Cert should be started with a line ‘—–BEGIN CERTIFICATE—–‘. Then, move the key file generated by OpenSSL to the directory  /etc/ssl/private.
$ mv linuxharbour.key /etc/ssl/private
In the Nginx configuration, please add the following in the web site block: insides the ‘location { … }’. Next, it is done after restarting Nginx web service.
listen *:443 ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/ssl/certs/linuxharbour.pem;
ssl_certificate_key /etc/ssl/private/linuxharbour.key;
Setup Hongkong Post e-Cert (Server) in ISPConfig 3
If ISPConfig 3 is installed on your system, this is the alternative method. The content of 3 SSL files should be copied to ‘SSL Key’, ‘SSL Request’, ‘SSL Certificate’ in SSL tab, and then save the config.
The content of ‘SSL Key’ start with  —–BEGIN PRIVATE KEY—– .
The content of ‘SSL Request’ start with  —–BEGIN CERTIFICATE REQUEST—– .
The content of ‘SSL Certificate’ start with  —–BEGIN CERTIFICATE—– .
Frequent Answer Question (FAQ)
Question: How to solve if the web browser shows SEC_ERROR_UNKNOWN_ISSUER error?
Answer: Hongkong Post Root CA cert is not installed on some web browser or the mobile OS platform (ie. NOT your certificate), please refer to Q4 of GovHK Online Services – Information Security . You can download Hong Kong Post Root CA 1 and Hong Kong Post e-Cert CA 1 – 15 , and link with your certificate according to the above ‘Q4’.
$ cat root_ca_1_pem.crt ecert_ca_1-15_pem.crt cert0000000.crt > hkpostca.crt
(Replace  000000000 with your certificate number)
And then copy the content of the new cert file hkpostca.crt to SSL certificate field in ISPConfig 3 and save the config.
For the users of Apache HTTP server, please refer to the Hong Kong Post e-Cert (Server) User Guide for Apache.

 

Founder of Linux Harbour