Certificate Installation: NGINX

Needed for this task:

• PEM encoded certificates (Root, Intermediate(s) and Domain/Device)

Combine (Concatenate) multiple certificates into one file
Combining the certificates into one file can be accomplished in many ways.

Note: Please be aware that the file names used in this article are for example purposes ONLY!

Please modify accordingly to suit your needs based on the type of certificate you have.

If you’re unsure what file names you should be using, then please consult our article:  Which is Root? Which is Intermediate?

• Using the ‘cat’ command (found on Unix and Unix-like Operating Systems):
  • Syntax: cat Device/Entity Cert Intermediates (reverse order) Root >> ssl-bundle.crt
  • Example Syntax: cat www_yourdomain_com.crt ComodoHigh-AssuranceSecureServerCA.crt AddTrustExternalCARoot.crt >> ssl-bundle.crt
1. If you have the individual certificate files (eg. AddTrustExternalCARoot.crt):
   • Using a GUI based text editor.
     • Copy contents of the files into ONE file in ascending order (opposite order of what is shown) as per our article:  Which is Root? Which is Intermediate?
     • Save file as ssl-bundle.crt.
2. If you have a .crt and .ca-bundle:

• Using the cat command (found on Unix and Unix-like Operating Systems):
  • Syntax: cat Device/Entity Cert Bundle
  • Example Syntax: cat www_yourdomain_com.crt www_yourdomain_com.ca-bundle >> ssl-bundle.crt

• Using a GUI based text editor.
  • Copy contents of: ‘www_yourdomain_com.crt’ into ‘www_yourdomain_com.ca-bundle’ on top of the existing text.
  • Save new file as ssl-bundle.crt.

Configure your NGINX Virtual Host

* Move newly created ssl-bundle.crt to where you’re saving cert files. e.g. /etc/ssl/certs/
* create/modify your website site’s configuration file, which may be located in the following:
* /etc/nginx/sites-available/
* /usr/local/nginx/sites-available/

* Ensure it has the following:
— Set ‘ssl’ to on.
— Set ‘listen’ to your SSL port; typically 443.
— Set ‘ssl_certificate’ to the location of your newly created ssl-bundle.crt file.
— Set ‘ssl_certificate_key’ to the location of your private key.

* Optionally you can set the following:
— ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM; #Disables all weak ciphers
— ssl_protocols SSLv3 TLSv1; #enables SSLv3/TLSv1, but not SSLv2 which is weak and should no longer be used.

Example of an SSL configured Virtual Host for nginx

server {
listen 443;
ssl on;
ssl_certificate /etc/ssl/certs/ssl-bundle.crt;
ssl_certificate_key /etc/ssl/private/mysite.key;
#enables SSLv3/TLSv1, but not SSLv2 which is weak and should no longer be used.
ssl_protocols SSLv3 TLSv1;
#Disables all weak ciphers
ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;

server_name mysite.com;
}

Related Articles

* CSR Generation: Apache (using OpenSSL)