Using SSL certificates may cause problems with the certificate chain on older or mobile browsers. The steps below show you how to create a complete certificate from your existing one and how to configure nginx.
nginx Series Overview
- How To Install the Newest Version of Nginx on Ubuntu
- How to Run GitLab with Self-Signed SSL Certificate
- How to Fix Reponse Status 0 (Worker Process Exited on Signal 11)
- Redirect Only Root URL Path
- Remove an App/Domain from Sites-Enabled
- How to Serve a Static HTML Page
- Is Running but Not Serving Sites
- How to Fix Unknown "connection_upgrade" Variable
- How to Configure Nginx SSL Certifcate Chain
- How to Fix Nginx SSL PEM_read_bio:bad end line
- How to Remove PEM Password From SSL Certificate
- How to Fix “ssl” Directive Is Deprecated, Use “listen … ssl”
Gather SSL Certificate Files
You need the following three SSL certificate files. You can name them as you wish, we use mydomain-2015.xyz to illustrate the examples.
- Private key: name this file
mydomain-2015.key - Intermediate certificate: name this file
intermediate.crt(SHA1) orintermediate.pem(SHA2). You can download the intermediate from your SSL certification vendor. - Signed certificate: the signed SSL certificate from your SSL certification vendor. Name this file
mydomain-2015.crt
Copy Your Certificate
The copy is optional and you can work directly with your certificate. We just like to keep the certificate as is and work with the copy instead. Concretely, the certificate will be a bundle and we name the copy mydomain-2015.pem.
cp mydomain-2015.crt mydomain-2015.pem
Add the Intermediate Certificate to your SSL Certificate
This step concatenates the intermediate certificate with your signed SSL certificate. The certificates have to be in a correct order: your signed SSL certificate first, afterwards the intermediate.
cat intermediate.crt >> mydomain-2015.pem
This command adds the content of intermediate.crt to mydomain-2015.pem and creates the addressed pem bundle.
Nginx Configuration
You need to specifiy the newly created mydomain-2015.pem bundle file as your SSL certificate in nginx.
{
…
ssl_certificate /etc/nginx/ssl/mydomain-2015.pem;
ssl_certificate_key /etc/nginx/ssl/private/mydomain-2015.key;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
…
}
The important parts are ssl_certificate and ssl_certificate_key. Specify the correct path to your certificate bundle and key file.
Restart nginx once your configuration is complete to push your changes into production.
That’s it. Visit your website and the https part should be highlighted green in Google Chrome. Other browsers just display a lock icon to indicate your secure connection.