https://gist.github.com/junxy/2464633f27345fbe6a98
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 | # if your pfx file is yourdomain.com.pfx# split the name up so you can have a descriptive# cert and key nameOUT=yourdomain.comPFX=.pfx# create pem fromat certs from pfx fiiles# and a decrypted keyopenssl pkcs12 -in ${OUT}${PFX} -nocerts -out ${OUT}.key# you will prompted for the pfx password... # create an unencrypted file so you can restart nginx without entering# a passphrase each timeopenssl rsa -in ${OUT}.key -out ${OUT}-decrypted.keyopenssl pkcs12 -in ${OUT}${PFX} -clcerts -nokeys -out ${OUT}.cert# you need to download the chain of certificates and combine them in the right order (your ssl cert, intermediate then root cert)cat yourdomain.com.cert \globalsignintermediate.crt \globalsignr3root.crt > yourdomain.com-bundle.crtmkdir /etc/nginx/sslchmod 700 /etc/nginx/sslcp yourdomain.com-decrypted.key /etc/nginx/sslcp yourdomain.com-bundle.crt /etc/nginx/ssl# make sure only root can read or access the certs/keyschmod 600 /etc/nginx/ssl/* |
The ssl_certficate and ssl_certificate_key list the path to the certs and keys relative to your /etc/nginx/nginx.conf file
1 2 3 4 5 6 7 | server { listen 443 ssl; server_name yourdomain.com; ssl_certificate ssl/yourdomain.com-bundle.crt; ssl_certificate_key ssl/yourdomain.com-decrypted.crt; # ... rest of config} |
It's a good idea to do a syntax check before restarting the nginx server
1 2 3 | $ nginx -tnginx: the configuration file /etc/nginx/nginx.conf syntax is oknginx: configuration file /etc/nginx/nginx.conf test is successful |
1 2 3 | service restart nginx orsystemctl restart nginx |
0 Comments