...
nginx will operate as an SSL termination endpoint, and we will attempt to use TLS 1.2+ for all connections across all domains, when possible, to increase security in our scientific web applications.
Certificates
Certificates are stored under /opt/rh/nginx16/root/etc/nginx/certs. Each certificate in there is a unified certificate consisting of our certificate and the Thawter (or CA) certificate together in the same file. You can regenerate this file by just cat'ing the granted certificate and the CA certificate together. Private keys are stored in an encrypted form on AFS (please ask the appropriate people for the password). The private keys are stored unencrypted in /opt/rh/nginx16/root/etc/nginx/private. You must be root to read and write to that directory.
Generating a CSR
You must have an unencrypted copy of the key in order to create a CSR. Once you have a private key available, you can generate a new CSR for the cas.slac.stanford.edu certificate with the following command:
openssl req -new -out cas.slac.stanford.edu.csr -key cas.slac.stanford.edu.key -config ~srs/nginx/csr/cas.slac.stanford.edu.conf
Tomcat
In the nginx section, a snippet for the reverse proxy configuration of nginx was demonstrated. In order for SSL termination to work, we use those nginx-set headers and tell tomcat to interpret them through a valve, so we need to add a valve to server.xml. The valve which does that is included in Tomcat, and it is the RemoteIpValve.
...