Logo

How to Install SSL Certificate on an NGINX Server

Try this guide with our instant dedicated server for as low as 40 Euros

install ssl certificate on nginx

We often hear that in today’s world, website security is no longer a luxury—it’s a fundamental operational necessity. This statement couldn’t be more accurate in the face of rising cyber crimes. 

Website owners have a fundamental duty to ensure a secure connection between their web servers and users’ browsers.

Installing an SSL certificate on NGINX helps secure this connection. The certificate encrypts information transmitted across the internet, ensuring data privacy, thereby, protecting both the website and its visitors.

If you manage multiple NGINX servers, you should note that each server requires its own SSL certificate to enable HTTPS. You can opt for several options including obtaining free solutions like Let’s Encrypt and paid certificates from commercial Certificate Authorities.

In this tutorial, we will discuss how to install SSL certificate on NGINX server. 

Table of Contents

  1. How to Install SSL Certificate on an NGINX Server
    1. Step #1: Combine All Certificates into a Single File
    2. Step #2: Edit the NGINX Configuration File
    3. Step #3: Restart the NGINX Server
    4. Step #4: Verify SSL Certificate
  2. Conclusion
  3. FAQs

How to Install SSL Certificate on an NGINX Server

Before diving into the process of installing an SSL certificate on an NGINX server, it is important to understand the prerequisites.

The Prerequisites

Before diving further, ensure you have the following.

  • A server certificate issued by a Certificate Authority (CA) for your domain
  • Intermediate certificates
  • A private key
  • You have NGINX installed on your server machine
  • A user account with sudo or administrative privilege.

As mentioned in the prerequisites, we assume you have already produced a Certificate Signing Request (CSR) and received your SSL certificate from a Certificate Authority (CA). 

If you still need help with this part of the process, check out our How to Secure NGINX with Let’s Encrypt on Ubuntu 22.04 guide. Let’s Encrypt is a free, automated, and open Certificate Authority (CA) that provides digital certifications for Transport Layer Security (TLS) encryption. 

Let us now discuss how to install the SSL certificate on the NGINX server.

Step #1: Combine All Certificates into a Single File 

Once you’ve obtained your SSL certificate from the CA (usually sent via email as a .zip file), download and unzip it. The .zip file contains your server certificate, a root certificate, and potentially one or more intermediate certificates.

You can kick off the installation process by combining these certificates into a single file named ssl-bundle.crt.

You can either manually copy and paste the contents of each certificate into a file open in a text editor like Vim or Nano and save it as ssl-bundle.crt or you can use command line tools to combine the certificates into one file. 

If using the command line approach, we recommend using the appropriate command depending on whether your intermediate certificates are in separate files or a single .ca-bundle file.

If the certificates are separate, use the command:

# cat your-domain.crt intermediate.crt root.crt >> ssl-bundle.crt

If the intermediate certificates are in a single bundle, use:

# cat your-domain.crt your-domain.ca-bundle >> ssl-bundle.crt

Note: Ensure your private key file (your-domain.key) has read-only permissions for the user running NGINX. You can change file permissions by running the chmod 400 {your-domain.key} command in the terminal.

Step #2: Edit the NGINX Configuration File

Once you have combined the certificates, locate your NGINX server block (also known as the virtual host file). If you are unsure about the location, run the following command:

# sudo find / -name nginx.conf

Next, open the configuration file and duplicate the existing server block for your domain. Paste the duplicate below the original and edit the new block.

You need to make the following modifications in the new block.

Listen port on 443:

listen 443 ssl;

Define the path to the SSL certificate:

ssl_certificate /path/to/ssl-bundle.crt; 

ssl_certificate_key /path/to/your-domain.key;

At this point, the configuration file would look like this. 

server {

    listen 443 ssl;

    ssl_certificate /etc/ssl/ssl-bundle.crt;

    ssl_certificate_key /path/to/your_private.key;

    root /path/to/webroot;

    server_name your_domain.com;

    access_log /var/log/nginx/nginx.vhost.access.log;

    error_log /var/log/nginx/nginx.vhost.error.log;

 

    location / {

        root /var/www/;

        root  /home/www/public_html/your.domain.com/public/;

        index index.html;

    }

}

Once you have made the necessary modifications, save and exit the NGINX configuration file.

Step #3: Restart the NGINX Server

Restart the NGINX server to apply the changes to server operations. 

# sudo systemctl restart nginx

Step #4: Verify SSL Certificate

You now need to verify if you have successfully installed the SSL certificate on NGINX. For this, open your web browser and navigate to your website to test HTTPS connectivity.

https://your.domain.com

A locked padlock icon in the browser’s address bar indicates the successful installation of the SSL certificate.

Conclusion

By following the steps outlined above, you should have successfully installed an SSL Certificate on your NGINX server. 

Remember to repeat the process for each NGINX server if you have multiple machines. 

FAQs

Q. What is an SSL Certificate, and why is it essential for NGINX?

An SSL (Secure Sockets Layer) certificate is a digital certificate that authenticates the identity of a website and encrypts the information sent between the server and the client. 

It is essential for NGINX because it ensures secure, encrypted connections for websites, and protects sensitive data like login credentials, payment information, and personal details from interception by unauthorized parties.

Q. How to Install SSL Certificate on NGINX?

To install SSL certificate on NGINX, you need to generate a Certificate Signing Request (CSR), submit it to a Certificate Authority (CA) to obtain the SSL certificate, and configure NGINX to use the certificate by editing the server block configuration. Follow the steps outlined in this guide to complete the process.

Q. What are Primary Certificates, and how are they different from Intermediate Certificate Bundles?

Primary certificates, also known as server certificates, are issued to the specific domain you intend to secure. Intermediate certificates are issued by trusted root CAs to create a chain of trust, linking your primary certificate to the trusted root. Intermediate certificates help browsers and devices recognize your server certificate as trustworthy.

Q. What is a Certificate Signing Request (CSR), and how do I generate one for NGINX?

A Certificate Signing Request (CSR) is a block of encoded text that contains information about the domain and organization requesting the certificate. It also includes the public key that will be included in the certificate. You can generate a CSR using OpenSSL with a command like openssl req -new -newkey rsa:2048 -nodes -keyout your_domain.key -out your_domain.csr.

Q. Where is the Default HTTP Port located in NGINX, and can it be customized for SSL?

The default HTTP port in NGINX is port 80. For SSL, the default port is 443. You can customize these ports in your NGINX configuration by changing the listen directive in the server block. For example, listen 443 ssl; configures NGINX to listen for HTTPS traffic on port 443.

Q. What is the SSL Directory in NGINX, and how do I manage SSL/TLS certificates within it?

The SSL directory in NGINX typically refers to the location where SSL certificates and private keys are stored, commonly /etc/ssl/ or /etc/nginx/ssl/. Managing these files involves ensuring they have the correct permissions and are properly referenced in the NGINX configuration file.

Q. How to use an SSL certificate generator tool for NGINX?

SSL certificate generator tools can simplify the process of creating SSL certificates and private keys. Tools like OpenSSL can generate CSRs and private keys, while automated services like Let’s Encrypt provide tools like Certbot to automatically issue and renew SSL certificates for NGINX.

Q. How to troubleshoot SSL Certificate errors on NGINX?

Common SSL/TLS certificate errors on NGINX include mismatched domain names, expired certificates, and incorrect file paths. To troubleshoot, check the NGINX error log (/var/log/nginx/error.log), verify that the certificate and key files are correctly referenced in the configuration, and use online SSL testing tools to diagnose issues.

Q. What are Self-Signed Certificates, and when are they used on NGINX?

Self-signed certificates are SSL certificates signed by the creator’s own private key rather than a trusted CA. They are typically used for testing or internal purposes because they are not trusted by default in browsers and devices. To generate one, use openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout selfsigned.key -out selfsigned.crt.

Q. How to Obtain an SSL Certificate via Email for NGINX?

To obtain an SSL certificate via email, you usually need to submit a CSR to a CA. After validation, the CA will send the SSL certificate and intermediate certificates to your registered email. You then need to download these certificates, configure them on your NGINX server as described in this guide, and restart NGINX.

Try this guide with our instant dedicated server for as low as 40 Euros