Nginx Certificate Installation from PFX File

by Jun 28, 2019IT Tips0 comments

https://gist.github.com/junxy/2464633f27345fbe6a98

# if your pfx file is yourdomain.com.pfx
# split the name up so you can have a descriptive
# cert and key name

OUT=yourdomain.com
PFX=.pfx

# create pem fromat certs from pfx fiiles
# and a decrypted key

openssl pkcs12 -in ${OUT}${PFX} -nocerts -out ${OUT}.key
# you will prompted for the pfx password... 

# create an unencrypted file so you can restart nginx without entering
# a passphrase each time
openssl rsa -in ${OUT}.key -out ${OUT}-decrypted.key

openssl pkcs12 -in ${OUT}${PFX} -clcerts -nokeys -out ${OUT}.cert



# you need to download the chain of certificates and combine them in the right order (your ssl cert, intermediate then root cert)

cat yourdomain.com.cert \
globalsignintermediate.crt \
globalsignr3root.crt > yourdomain.com-bundle.crt

mkdir /etc/nginx/ssl
chmod 700 /etc/nginx/ssl

cp yourdomain.com-decrypted.key /etc/nginx/ssl
cp yourdomain.com-bundle.crt /etc/nginx/ssl

# make sure only root can read or access the certs/keys
chmod 600 /etc/nginx/ssl/*

The ssl_certficate and ssl_certificate_key list the path to the certs and keys relative to your /etc/nginx/nginx.conf file

server {
    listen 443 ssl;
    server_name yourdomain.com;
    ssl_certificate      ssl/yourdomain.com-bundle.crt;
    ssl_certificate_key  ssl/yourdomain.com-decrypted.crt;
    # ... rest of config
}

It's a good idea to do a syntax check before restarting the nginx server

$ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

service restart nginx 
or
systemctl restart nginx

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The reCAPTCHA verification period has expired. Please reload the page.