Nginx Certificate Installation from PFX File

Written by James McDonald

June 28, 2019

https://gist.github.com/junxy/2464633f27345fbe6a98

# if your pfx file is yourdomain.com.pfx
# split the name up so you can have a descriptive
# cert and key name

OUT=yourdomain.com
PFX=.pfx

# create pem fromat certs from pfx fiiles
# and a decrypted key

openssl pkcs12 -in ${OUT}${PFX} -nocerts -out ${OUT}.key
# you will prompted for the pfx password... 

# create an unencrypted file so you can restart nginx without entering
# a passphrase each time
openssl rsa -in ${OUT}.key -out ${OUT}-decrypted.key

openssl pkcs12 -in ${OUT}${PFX} -clcerts -nokeys -out ${OUT}.cert



# you need to download the chain of certificates and combine them in the right order (your ssl cert, intermediate then root cert)

cat yourdomain.com.cert \
globalsignintermediate.crt \
globalsignr3root.crt > yourdomain.com-bundle.crt

mkdir /etc/nginx/ssl
chmod 700 /etc/nginx/ssl

cp yourdomain.com-decrypted.key /etc/nginx/ssl
cp yourdomain.com-bundle.crt /etc/nginx/ssl

# make sure only root can read or access the certs/keys
chmod 600 /etc/nginx/ssl/*

The ssl_certficate and ssl_certificate_key list the path to the certs and keys relative to your /etc/nginx/nginx.conf file

server {
    listen 443 ssl;
    server_name yourdomain.com;
    ssl_certificate      ssl/yourdomain.com-bundle.crt;
    ssl_certificate_key  ssl/yourdomain.com-decrypted.crt;
    # ... rest of config
}

It’s a good idea to do a syntax check before restarting the nginx server

$ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
service restart nginx 
or
systemctl restart nginx

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The reCAPTCHA verification period has expired. Please reload the page.

You May Also Like…

Squarespace Image Export

To gain continued access to your Squarespace website images after cancelling your subscription you have several...

MySQL 8.x GRANT ALL STATEMENT

-- CREATE CREATE USER 'tgnrestoreuser'@'localhost' IDENTIFIED BY 'AppleSauceLoveBird2024'; GRANT ALL PRIVILEGES ON...

Exetel Opt-Out of CGNAT

If your port forwards and inbound and/or outbound site-to-site VPN's have failed when switching to Exetel due to their...