How to install an SSL certificate on a NGINX server

  SSL Installation instructions

After your Certificate is issued by the Certificate Authority, you’re ready to begin installation on your NGINX server. Follow these steps:

Step 1: Combine Certificates Into One File

The Certificate Authority will email you a zip-archive with several .crt files. You need to link the Certificate issued for your domain with intermediate and root certificates into one file.

The order of Certificates in the file is important. First needs to be the Certificate for your domain name, second the intermediate Certificates, and last in the chain must be the root Certificate.
You can combine the files either manually, by copying and pasting the correspondent Certificates into one single file. Or you can use the following commands if the Certificate files were uploaded to the server:

1) Method if you received and uploaded the intermediate and root Certificates separately

Add this command:

cat your_domain.crt intermediate.crt root.crt >> ssl-bundle.crt

For example, this would be the command for a PositiveSSL Certificate:

cat example_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >> ssl-bundle.crt

2) Method if you received the intermediate Certificates in one bundle file, or downloaded the Certificate files from your SSLs.com Account

Run this command:

cat your_domain.crt your_domain.ca-bundle >> ssl-bundle.crt

Place the created file into the directory with the SSL certificates on your NGINX server.

Step 2: Edit NGINX Configuration File

After the Certificate is uploaded, you need to modify your NGINX configuration file (by default it is called nginx.conf).

Then you’ll edit or add Virtual Host for 443 port for your website. If there’s no Virtual Host for 443 port, you can duplicate the record for port 80 (it should be in the configuration file by default) and change port 80 to port 443. Simply add it below the non-secure module.

You will then need to add these specific lines into the record:

ssl on;

ssl_certificate (should be pointed to the location of the created Certificate file)

ssl_certificate_key (should be pointed to the location of the Private Key generated along with the CSR that was used during Certificate activation)

The completed Virtual Host should look like this:

server {

listen 443;

ssl on;

ssl_certificate /etc/ssl/ssl-bundle.crt;

ssl_certificate_key /etc/ssl/ssl-tutorials.key;

server_name ssl-tutorials.com;

access_log /var/log/nginx/nginx.vhost.access.log;

error_log /var/log/nginx/nginx.vhost.error.log;

location / {

root /var/www/;

index index.html;

}

}

Note: OCSP Stapling can be configured on NGINX server starting from 1.3.7+

If you want to configure OCSP Stapling on your server, add the following lines to the Virtual Host section for the website:

ssl_stapling on;

ssl_stapling_verify on;

After the modifications are saved, restart the NGINX server with one of the following commands to apply your changes:

service nginx restart

OR

sudo systemctl restart nginx

OR

/etc/init.d/nginx restart