Install Hong Kong Post server SSL certificate on Nginx

A client applied a SSL e-Cert from Hong Kong Post for their website (example: www.linuxharbour.com) on Nginx. Hong Kong Post provides a PIN envelope reference number (9-digit) and a e-Cert PIN (16-digit).

First, we creates a Certificate Signing Request (CSR) with OpenSSL.

$ openssl req -new -newkey rsa:2048 -nodes -keyout linuxharbour.key -out linuxharbour.csr
Generating a 2048 bit RSA private key

…………………………………+++
..+++
writing new private key to ‘linuxharbour.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:HK
State or Province Name (full name) [Some-State]:Hong Kong
Locality Name (eg, city) []:Hong Kong
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linux Harbour
Organizational Unit Name (eg, section) []:Web Team
Common Name (e.g. server FQDN or YOUR name) []:www.linuxharbour.com
Email Address []:editorial@linuxpilot.net

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
After we generated files with OpenSSL, we visits Hong Kong Post CSR submission web page for server e-Cert, input the hostname of e-Cert, reference number and the PIN.
On next page, we should confirm the CSR submission if information listed are correct.
After we confirmed the information listed, we should copy the content from CSR file (example: linuxharbour.csr) and paste to text box on CSR submission page.
Your SSL cert details will be shown, and another confirmation is asked by CSR submission page.
After your 2nd confirmation to your CSR submission, Hong Kong Post will generate a SSL e-Cert for your server, you can download (item 1) and keep your CSR and key files generated with OpenSSL well and safe.
SSL Configuration (Hong Kong Post e-Cert for Server) with ISPConfig 3
Copy the content from files to “SSL Key”, “SSL Request” and “SSL Certificate” on SSL tab, and then save the configuration setting, and congratulation that you did it!
SSL Key should start with something like —–BEGIN PRIVATE KEY—–.
SSL Request should start with something like —–BEGIN CERTIFICATE REQUEST—–.
SSL Certificate should start with something like —–BEGIN CERTIFICATE—–.
SSL Configuration on Nginx (without ISPConfig 3)
Create a file /etc/ssl/certs/linuxharbour.pem (filename example: linuxharbour.pem) and copy & paste the SSL e-Cert to this file.
SSL Certificate should start with something like —–BEGIN CERTIFICATE—–.
And move tke key file generated with OpenSSL to directory /etc/ssl/private.
$ mv linuxharbour.key /etc/ssl/private
And adding the following lines to web site configuration block (ie. location { … }) at Nginx.
listen *:443 ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/ssl/certs/linuxharbour.pem;
ssl_certificate_key /etc/ssl/private/linuxharbour.key;
Reload Nginx and congratulation that you did it!
Frequently Asked Questions (FAQ)
Q: What should I do if client browser returns SEC_ERROR_UNKNOWN_ISSUER for my Hong Kong Post server e-Cert ?
A: Hong Kong Post Root CA certificate (NOT your certificate) is not installed on some browsers or platforms due to security policy of some popular browser vendors or platform vendors. I hopes Hong Kong Post can work with and pass the security verification process with popular browser vendors and platform vendors.
You should download Hong Kong Post Root CA 1 Root Cert and Hong Kong Post e-Cert CA 1 – 15 Intermediate Cert from Hong Kong Post. And then:
$ cat root_ca_1_pem.crt ecert_ca_1-15_pem.crt cert0000000.crt > hkpostca.crt
 (Replace 000000000 to your cert number shown on cert file)
And then paste the content of hkpostca.crt (included 3 certificates) to SSL certificate field.
Please also refer to Q4 on GovHK Online Services – Information Security page for this issue.

 

Sammy Fung

a technology consultant who develops software and deploys Linux and cloud technology solution.

Leave a Reply

Your email address will not be published. Required fields are marked *