SSL Certificate Installation in Nginx
If you have not yet created a Certificate Signing Request (CSR) and ordered your certificate, see
OpenSSL CSR Creation for an Nginx Server SSL Certificate.
Nginx Server SSL Certificate Installation
Primary certificate and intermediate certificate.
You should have received a your_domain_name.pem file from DigiCert in an email when your certificate was issued. This .pem file contains both your primary certificate and the intermediate certificate. If you have that .pem file you can skip to step 4.
If you still need to concatenate your primary certificate and your intermediate certificate in to a single file, start with step 2.
Log in to download your Intermediate (DigiCertCA.crt) and Primary Certificates (your_domain_name.crt) from within your DigiCert Customer Account. Copy them, along with the .key file you generated when you created the CSR, to the directory on your server where you will keep your certificate and key files. Make them readable by root only to increase security.
Concatenate the primary certificate and intermediate certificate.
You need to concatenate the primary certificate file (your_domain_name.crt) and the intermediate certificate file (DigiCertCA.crt) into a single pem file by running the following command:
Now open your Nginx virtual host file for the website you are securing. If you need your site to be accessible through both secure (https) and non-secure (http) connections, you will need a server module for each type of connection. Make a copy of the existing non-secure server module and paste it below the original. Then add the lines in bold below:
Adjust the file names to match your certificate files:
- ssl_certificate should be your primary certificate combined with the intermediate certificate that you made in the previous step (e.g. your_domain_name.crt).
- ssl_certificate_key should be the key file generated when you created the CSR.
Run the following command to restart Nginx:
If your web site is publicly accessible, our SSL Certificate Tester tool can help you diagnose common problems.
Open a web browser and visit your site using https. It is best to test with both Internet Explorer as well as Firefox, because Firefox will give you a warning if your intermediate certificate is not installed. You should not receive any browser warnings or errors. If you immediately receive a browser message about the site not being available, then Nginx may not yet be listening on port 443. If your web request takes a very long time, and then times out, a firewall blocking traffic on TCP port 443 to the web server.
If you receive a "not trusted" warning, view the certificate to see if it is the certificate you expect. Check the Subject, Issuer, and Valid To fields. If the certificate is issued by DigiCert, then your your primary certificate (your_domain_name.crt) may not be correctly combined with the intermediate certificate.
For more information, read the Nginx SSL documentation.
Nginx Server Configuration
For information about Nginx server configurations that can strengthen your SSL environment:
Instructions for disabling the SSL v3 protocol.
Information about enabling perfect forward secrecy.
Installing your SSL Certificates in Nginx
How to install your SSL Digital Certificate in Nginx.