https://gist.github.com/junxy/2464633f27345fbe6a98
# if your pfx file is yourdomain.com.pfx
# split the name up so you can have a descriptive
# cert and key name
OUT=yourdomain.com
PFX=.pfx
# create pem fromat certs from pfx fiiles
# and a decrypted key
openssl pkcs12 -in ${OUT}${PFX} -nocerts -out ${OUT}.key
# you will prompted for the pfx password...
# create an unencrypted file so you can restart nginx without entering
# a passphrase each time
openssl rsa -in ${OUT}.key -out ${OUT}-decrypted.key
openssl pkcs12 -in ${OUT}${PFX} -clcerts -nokeys -out ${OUT}.cert
# you need to download the chain of certificates and combine them in the right order (your ssl cert, intermediate then root cert)
cat yourdomain.com.cert \
globalsignintermediate.crt \
globalsignr3root.crt > yourdomain.com-bundle.crt
mkdir /etc/nginx/ssl
chmod 700 /etc/nginx/ssl
cp yourdomain.com-decrypted.key /etc/nginx/ssl
cp yourdomain.com-bundle.crt /etc/nginx/ssl
# make sure only root can read or access the certs/keys
chmod 600 /etc/nginx/ssl/*
The ssl_certficate and ssl_certificate_key list the path to the certs and keys relative to your /etc/nginx/nginx.conf file
server {
listen 443 ssl;
server_name yourdomain.com;
ssl_certificate ssl/yourdomain.com-bundle.crt;
ssl_certificate_key ssl/yourdomain.com-decrypted.crt;
# ... rest of config
}
It's a good idea to do a syntax check before restarting the nginx server
$ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
service restart nginx
or
systemctl restart nginx
0 Comments