How to Configure Nginx SSL Certifcate Chain

Using SSL certificates may cause problems with the certificate chain on older or mobile browsers. The steps below show you how to create a complete certificate from your existing one and how to configure nginx.

nginx Series Overview

Gather SSL Certificate Files

You need the following three SSL certificate files. You can name them as you wish, we use mydomain-2015.xyz to illustrate the examples.

  1. Private key: name this file mydomain-2015.key
  2. Intermediate certificate: name this file intermediate.crt (SHA1) or intermediate.pem (SHA2). You can download the intermediate from your SSL certification vendor.
  3. Signed certificate: the signed SSL certificate from your SSL certification vendor. Name this file mydomain-2015.crt

Copy Your Certificate

The copy is optional and you can work directly with your certificate. We just like to keep the certificate as is and work with the copy instead. Concretely, the certificate will be a bundle and we name the copy mydomain-2015.pem.

cp mydomain-2015.crt mydomain-2015.pem  

Add the Intermediate Certificate to your SSL Certificate

This step concatenates the intermediate certificate with your signed SSL certificate. The certificates have to be in a correct order: your signed SSL certificate first, afterwards the intermediate.

cat intermediate.crt >> mydomain-2015.pem  

This command adds the content of intermediate.crt to mydomain-2015.pem and creates the addressed pem bundle.

Nginx Configuration

You need to specifiy the newly created mydomain-2015.pem bundle file as your SSL certificate in nginx.

{
    …
    ssl_certificate /etc/nginx/ssl/mydomain-2015.pem;
    ssl_certificate_key /etc/nginx/ssl/private/mydomain-2015.key;

    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

    …
}

The important parts are ssl_certificate and ssl_certificate_key. Specify the correct path to your certificate bundle and key file.

Restart nginx once your configuration is complete to push your changes into production.

That’s it. Visit your website and the https part should be highlighted green in Google Chrome. Other browsers just display a lock icon to indicate your secure connection.

Explore the Library

Find interesting tutorials and solutions for your problems.