Written by James McDonald

June 28, 2019


# if your pfx file is yourdomain.com.pfx
# split the name up so you can have a descriptive
# cert and key name


# create pem fromat certs from pfx fiiles
# and a decrypted key

openssl pkcs12 -in ${OUT}${PFX} -nocerts -out ${OUT}.key
# you will prompted for the pfx password... 

# create an unencrypted file so you can restart nginx without entering
# a passphrase each time
openssl rsa -in ${OUT}.key -out ${OUT}-decrypted.key

openssl pkcs12 -in ${OUT}${PFX} -clcerts -nokeys -out ${OUT}.cert

# you need to download the chain of certificates and combine them in the right order (your ssl cert, intermediate then root cert)

cat yourdomain.com.cert \
globalsignintermediate.crt \
globalsignr3root.crt > yourdomain.com-bundle.crt

mkdir /etc/nginx/ssl
chmod 700 /etc/nginx/ssl

cp yourdomain.com-decrypted.key /etc/nginx/ssl
cp yourdomain.com-bundle.crt /etc/nginx/ssl

# make sure only root can read or access the certs/keys
chmod 600 /etc/nginx/ssl/*

The ssl_certficate and ssl_certificate_key list the path to the certs and keys relative to your /etc/nginx/nginx.conf file

server {
    listen 443 ssl;
    server_name yourdomain.com;
    ssl_certificate      ssl/yourdomain.com-bundle.crt;
    ssl_certificate_key  ssl/yourdomain.com-decrypted.crt;
    # ... rest of config

It’s a good idea to do a syntax check before restarting the nginx server

$ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
service restart nginx 
systemctl restart nginx


Submit a Comment

Your email address will not be published.

You May Also Like…

MacOS USB Creator

Just toasted my Windows 10 Pro install with a Windows 11 upgrade. Think it will be unrecoverable (because of Bitlocker...