How-to Configure SSL Certificate Chain for Nginx

By | 2013/09/02

nginx is a little different from apache when it comes to ssl certificates. I’ll show you how it works!


1. First, gather the three typical SSL certificate files, and save those as plain text files.

– private key (name this example.com-2013.key)
– intermediate certificate from your SSL cert vendor (name this intermediate.crt)
– signed SSL certificate from your SSL cert vendor (name this example.com-2013.crt)


2. Next, create a copy of your .crt as .pem.

(Note, the copy is totally optional, but I like to work from a copy and call it .pem since it is then technically a pem bundle.)

$ cp example.com-2013.crt example.com-2013.pem


3. Next, add in the intermediate cert to your SSL cert as below. (nginx requires the intermediate cert be a part of the signed SSL cert in a bundle.)

$ cat intermediate.crt >> example.com-2013.pem 


4. Finally, in the nginx server config, specify your .pem and .key files where they exist on your server. The Debian defaults are used and shown below:

server
{

...

   ssl on;
   ssl_certificate /etc/ssl/certs/example.com-2013.pem;
   ssl_certificate_key /etc/ssl/private/example.com-2013.key;
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   ssl_prefer_server_ciphers on;
   ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-SHA:RC4-SHA;
   ssl_session_cache shared:SSL:10m;

   add_header Strict-Transport-Security max-age=31536000;

}

Done!