Nginx Certificate Installation from PFX File

Written by James McDonald

June 28, 2019

# if your pfx file is
# split the name up so you can have a descriptive
# cert and key name

# create pem fromat certs from pfx fiiles
# and a decrypted key

openssl pkcs12 -in ${OUT}${PFX} -nocerts -out ${OUT}.key
# you will prompted for the pfx password... 

# create an unencrypted file so you can restart nginx without entering
# a passphrase each time
openssl rsa -in ${OUT}.key -out ${OUT}-decrypted.key

openssl pkcs12 -in ${OUT}${PFX} -clcerts -nokeys -out ${OUT}.cert

# you need to download the chain of certificates and combine them in the right order (your ssl cert, intermediate then root cert)

cat \
globalsignintermediate.crt \
globalsignr3root.crt >

mkdir /etc/nginx/ssl
chmod 700 /etc/nginx/ssl

cp /etc/nginx/ssl
cp /etc/nginx/ssl

# make sure only root can read or access the certs/keys
chmod 600 /etc/nginx/ssl/*

The ssl_certficate and ssl_certificate_key list the path to the certs and keys relative to your /etc/nginx/nginx.conf file

server {
    listen 443 ssl;
    ssl_certificate      ssl/;
    ssl_certificate_key  ssl/;
    # ... rest of config

It’s a good idea to do a syntax check before restarting the nginx server

$ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
service restart nginx 
systemctl restart nginx


Submit a Comment

Your email address will not be published. Required fields are marked *

You May Also Like…