Knowledgebase
Certificate Installation: NGINX

Certificate Installation: NGINX

Needed for this task:

  • PEM encoded certificates (Root, Intermediate(s) and Domain/Device)

Combine (Concatenate) multiple certificates into one file


Combining the certificates into one file can be accomplished in many ways.

Note: Please be aware that the file names used in this article are for EXAMPLE PURPOSES ONLY! So please modify accordingly to suit your needs based on the type and or product name of the certificate you have. If you're unsure what file names you should be using or have, then please consult our article: Which is Root? Which is Intermediate?

  • If you have the individual certificate files (eg. AddTrustExternalCARoot.crt):
    • Using the 'cat' command (found on Unix and Unix-like Operating Systems):
      • Syntax: cat Device/Entity Cert Intermediates (reverse order) Root > ssl-bundle.crt
      • Example Syntax: cat www_yourdomain_com.crt ComodoHigh-AssuranceSecureServerCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt

  • If you have a .crt and .ca-bundle:
    • Using the cat command (found on Unix and Unix-like Operating Systems):
    • Syntax: cat Device/Entity Cert Bundle
    • Example Syntax: cat www_yourdomain_com.crt www_yourdomain_com.ca-bundle > ssl-bundle.crt

  • Using a GUI based text editor.
    • Copy contents of: 'www_yourdomain_com.crt' into 'www_yourdomain_com.ca-bundle' on top of the existing text.
    • Save new file as ssl-bundle.crt.

Configure your nginx Virtual Host

  • Move newly created ssl-bundle.crt to where you're saving cert files. e.g. /etc/ssl/certs/
  • Create/modify your website site's configuration file, which may be located in the following:
    • /etc/nginx/sites-available/
    • /usr/local/nginx/sites-available/

  • Ensure it has the following:
    -- Set 'ssl' to on.
    -- Set 'listen' to your SSL port; typically 443.
    -- Set 'ssl_certificate' to the location of your newly created ssl-bundle.crt file.
    -- Set 'ssl_certificate_key' to the location of your private key.

  • Optionally you can set the following:
    -- ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; #Disables all weak ciphers

    -- ssl_protocols TLSv1 TLSv1.1 TLSv1.2# enables TLSv1.0, 1.1, and 1.2 but not SSLv2 or 3 as they are both weak and deprecated.
    -- ssl_prefer_server_ciphers on; # Specifies that server ciphers should be preferred over client (e.g. browser) ciphers when using SSL/TLS.

Example of an SSL configured Virtual Host for nginx

server {
listen 443;
server_name mysite.com;

ssl on;
ssl_certificate /etc/ssl/certs/ssl-bundle.crt;
ssl_certificate_key /etc/ssl/private/mysite.key;

#enables all versions of TLS, but not SSLv2 or 3 which are weak and now deprecated.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

#Disables all weak ciphers
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

ssl_prefer_server_ciphers on;
}

Related Articles

(1255 vote(s))
Helpful
Not helpful

Comments (0)