1 Generate CSR & Private Key

OpenSSL (Linux/macOS/Windows with OpenSSL)

openssl req -new -newkey rsa:2048 -nodes -keyout your_domain.key -out your_domain.csr -subj "/C=CN/ST=Fujian/L=Xiamen/O=Your Company/OU=IT/CN=yourdomain.com"

For ECC, replace rsa:2048 with ecparam -genkey -name prime256v1 process; ensure CSR CN matches the purchased domain.

IIS (Windows)

In IIS Manager → Server → Server Certificates → Create Certificate Request, fill in organization and domain information, then save .csr.

2 Nginx Installation View Detailed Configuration

Merge Certificate Chain (if needed)

cat your_domain.crt intermediate_ca.crt > full_chain.crt

Nginx Configuration Example

server { listen 443 ssl http2; server_name yourdomain.com; ssl_certificate /path/to/full_chain.crt; # 证书 + 中间证书链 ssl_certificate_key /path/to/your_domain.key; # 私钥 ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; root /var/www/html; index index.html index.php; } server { listen 80; server_name yourdomain.com; return 301 https://$host$request_uri; # 强制 HTTPS }

3 Apache Installation View Detailed Configuration

Virtual Host Configuration

<VirtualHost *:443> ServerName yourdomain.com DocumentRoot "/var/www/html" SSLEngine on SSLCertificateFile "/path/to/your_domain.crt" SSLCertificateKeyFile "/path/to/your_domain.key" SSLCertificateChainFile "/path/to/intermediate_ca.crt" Protocols h2 http/1.1 </VirtualHost>

HTTP → HTTPS Redirect

<VirtualHost *:80> ServerName yourdomain.com Redirect permanent / https://yourdomain.com/ </VirtualHost>

4 IIS Installation View Detailed Configuration

Import Certificate

IIS Manager → Server → Server Certificates → Import (select .pfx if available; if .crt/.key, merge first to generate .pfx).

Site Binding

Site → Bindings → Add: https, select imported certificate, check SNI (multiple sites on same IP).

5 Tomcat Installation View Detailed Configuration

Generate keystore (Example)

keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore keystore.jks -validity 3650

server.xml Configuration

6 Node.js / Express View Detailed Configuration

HTTPS Server Example

const fs = require('fs'); const https = require('https'); const express = require('express'); const app = express(); const options = { key: fs.readFileSync('/path/to/your_domain.key'), cert: fs.readFileSync('/path/to/your_domain.crt'), ca: fs.readFileSync('/path/to/intermediate_ca.crt'), }; app.get('/', (req, res) => res.send('Hello HTTPS!')); https.createServer(options, app).listen(443, () => { console.log('HTTPS server running on 443'); });

7 Force HTTPS / Redirect

Nginx

server { listen 80; server_name yourdomain.com; return 301 https://$host$request_uri; }

Apache .htaccess

RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

IIS (URL Rewrite)

Install URL Rewrite, create rule: if {HTTPS} is not equal to on, then 301 redirect to https://{HTTP_HOST}{REQUEST_URI}.

8 Verification & Testing

Browser & Command Line

curl -I https://yourdomain.com openssl s_client -connect yourdomain.com:443 -servername yourdomain.com -showcerts

Check for issues such as "incomplete certificate chain", "domain mismatch", "certificate expired", etc.

9 Troubleshooting

Browser shows "Not Secure" or no lock icon

Usually caused by incomplete certificate chain, domain mismatch, expired certificate, or mixed content (HTTPS page referencing HTTP resources). Ensure certificate chain is complete, domain matches certificate, and all resources use HTTPS.

Some users cannot access in SNI scenario

Confirm server and client support SNI. For very old systems/browsers, use dedicated IP or more compatible certificate and protocol sets (e.g., enable RSA and full chain).

HTTPS enabled but some interfaces still use HTTP

Check if reverse proxy or frontend code hardcodes http://, add forced redirect and HSTS on server side (configure carefully to avoid debugging restrictions).

SSL Certificate Installation Guide