How to Install an SSL/TLS Certificates in Nginx (OpenSSL)?

1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 5.00 out of 5)
Install an SSL/TLS Certificate In Nginx (OpenSSL)

Welcome to the guide on installing an SSL/TLS certificate in Nginx (OpenSSL). This step-by-step tutorial will walk you through Nginx’s entire SSL installation process, ensuring a secure and encrypted connection.

Whether setting up a single server or multiple devices, rest assured that by the end of this guide, you will clearly understand how to secure each of them with the appropriate certificate.

Before we begin, you must ensure you have generated your certificate and completed the validation process. Please refer to our CSR Generation Instructions for assistance if you still need to do that.

Now, let’s delve into the instructions for installing your SSL/TLS certificate on Nginx, providing a robust security shield for your web servers and applications.

Follow along, and you’ll have your SSL/TLS certificate successfully deployed quickly!

Prerequisites for Installing an SSL/TLS Certificate:

To successfully install an SSL/TLS certificate on your server, ensure you have the following essential components ready:

Private Key:

The private key is a significant part of the SSL/TLS certificate installation process. It should already be present on your server or in your possession if you used a free generator tool to create your Certificate Signing Request (CSR).

Specific platforms, like Microsoft IIS, may not immediately reveal your private key, but the server retains it securely.

Intermediate Certificates:

These files help verify the authenticity of the issuing CA. Depending on your certificate provider, there might be multiple intermediate certificates.

If you received your SSL/TLS certificate in a ZIP folder, it should contain the Intermediate certificate(s), sometimes referred to as a CA Bundle. You can download the appropriate CA Bundle from the certificate provider’s website if not included.

Server Certificate:

This certificate is issued by a Certificate Authority (CA) for your domain. If you need help, you can download it by accessing your Account Dashboard and locating your order. The server certificate establishes a secure connection between your server and users’ devices.

By having these three key components ready, you’ll be well-prepared to proceed with the SSL/TLS certificate installation and enhance the security of your server and its communications.

Process for Generating a CSR for Nginx Using OpenSSL:

If you prefer to have complete control over generating your Nginx CSR through shell commands, follow these step-by-step instructions:

Step 1: Log in to Your Server:

Access your server via a terminal client using SSH for a secure connection.

Step 2: Run the Command:

Enter the following command at the prompt. Remember to replace “server” with your server’s name:

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

Step 3: File Generation:

By executing the above command, you initiate the generation of two files:

  • Private-Key File: This file is crucial in generating the CSR and securing and verifying connections using the certificate.
  • Certificate Signing Request (CSR) File: This file will be used to order your SSL certificate and encrypt messages that only the corresponding private key can decrypt.

Step 4: Provide Domain Information:

When prompted for the Common Name (domain name), type the fully qualified domain (FQDN) of the site you wish to secure.

NOTE: For a Wildcard certificate, ensure your common name starts with an asterisk (e.g., *

Step 5: Organizational Information:

Enter your organizational information, starting with your geographic details, when prompted.

NOTE: You may skip this step if you have already set up default information.

Step 6: Creation of .csr File:

Upon completing the prompts, your .csr file will be created, containing the necessary information to obtain your SSL/TLS certificate.

Step 7: Order Your SSL/TLS Certificate:

Open the generated .csr file using a text editor. Copy the entire text, including the —–BEGIN NEW CERTIFICATE REQUEST—– and —–END NEW CERTIFICATE REQUEST—– tags.

Paste this text into the DigiCert order form (or the relevant SSL certificate provider you have chosen) to initiate the certificate issuance process.

Step 8: Save Private Key:

Ensure you save (back up) the generated .key file securely. You will need it during the SSL certificate installation process.

Step 9: Install Your Certificate:

Once you receive your SSL certificate from DigiCert (or your chosen provider), install it on your server to complete the SSL/TLS setup.

These instructions can confidently generate a CSR for Nginx using OpenSSL, leading to a secure and encrypted connection for website visitors.

SSL/TLS Certificate Installation Instructions for Nginx:

Follow these simple and secure installation instructions to set up your SSL/TLS certificate on Nginx successfully:

Step 1: Copy Your Certificate Files:

Begin by copying the Certificate Files to the appropriate directory on your server. To enhance security, ensure that only the root has read permissions for these files.

Step 2: Link Your Files:

Next, you need to concatenate the two certificates into a single file. Use the following command to achieve this:

cat your_domain_name.crt Intermediate.crt >> bundle.crt
SSL Bundle CRT

Step 3: Edit Your Virtual Host File:

Open your Nginx virtual host file for editing. Duplicate the existing server module (the non-secure one) and place it below the original. Then, add the following lines in bold:

server {
  listen 443;
  ssl on;
  ssl_certificate /etc/ssl/your_domain_name.pem; (or bundle.crt)
  ssl_certificate_key /etc/ssl/your_domain_name.key;
  access_log /var/log/nginx/nginx.vhost.access.log;
  error_log /var/log/nginx/nginx.vhost.error.log;
  location / {
    root  /home/www/public_html/;
    index  index.html;

Step 4: Restart Nginx:

To apply the changes, restart Nginx using the following command:

sudo /etc/init.d/nginx restart

Voila! You’ve now successfully installed your SSL certificate on Nginx. Remember, sometimes, you may need to restart your server for all changes to take effect.

You can use an SSL Checker Tool for a more comprehensive analysis of your server’s configurations. If you require further assistance, don’t hesitate to contact our Customer Experience Department.

How to Confirm that the SSL Installation was Successful?

To verify the successful SSL certificate installation on NGINX, follow these simple steps to connect to your server via a browser:

Step 1: Open Your Preferred Browser:

Launch any web browser of your choice on your computer or device.

Step 2: Navigate to Your Domain Using HTTPS:

In the browser’s address bar, type in your domain using the HTTPS protocol:

Step 3: Look for the Padlock Icon:

Observe the browser’s address bar upon accessing your domain with the HTTPS prefix. A locked padlock icon should be displayed, indicating that the SSL certificate is now correctly set up on your server.

Look Padlock Icon

Step 4: Confirmation of SSL Certificate:

The locked padlock symbol signifies that your website’s connection is secure and encrypted with SSL. This ensures that data transmitted between your server and visitors’ browsers remains protected from potential eavesdropping or tampering.

By performing this quick check in your browser, you can confirm that your SSL certificate installation on NGINX was successful. This visual verification adds a layer of confidence for you and your website visitors, assuring them of a safe and secure browsing experience.

Troubleshooting Steps for SSL/TLS Certificate Installation:

To ensure a seamless SSL/TLS certificate installation, follow these troubleshooting steps and address any potential issues that may arise:

Step 1: Visit Your Site Using a Browser:

Open a web browser and access your site using the HTTPS protocol (e.g., We recommend using Firefox for testing, as it will alert you of any problems with your intermediate certificate installation. Ideally, avoid any browser warnings or errors.

Step 2: Verify Nginx Listening on Port 443:

If you immediately receive a message stating that the site is unavailable, it could indicate that Nginx is not yet listening on Port 443. Double-check your Nginx configuration and ensure it is set up to handle HTTPS requests properly.

Step 3: Check for Firewall Restrictions:

If your web request takes an unusually long time and eventually times out, a firewall might block traffic on TCP port 443, preventing secure communication to the web server. Confirm that there are no firewall restrictions obstructing HTTPS traffic.

Step 4: Investigate “Not Trusted” Warnings:

If you receive an “untrustworthy” warning, examine the certificate to verify its legitimacy. Pay particular attention to the Subject, Issuer, and Valid To fields, ensuring they match your expectations and reflect the correct certificate details.

Step 5: Review Concatenation of Certificate Files:

If you had to concatenate the certificate files, ensure that your primary certificate (e.g., your_domain_name.crt) has been correctly combined with the intermediate certificate. An incorrect combination might lead to SSL verification issues.

These troubleshooting steps can identify and resolve common SSL/TLS certificate installation challenges.

Ensuring a smooth installation process will help guarantee your website’s secure and error-free functioning with HTTPS enabled, promoting trust and confidence among your users.

Enjoy the increased security and encryption of your SSL/TLS certificate, making your website safer for your users!

Boost your Website Security with Authentic and Affordable SSL Certificates from Certera starting at just $2.99/year.

<?xml version="1.0" encoding="UTF-8"?><svg id="Layer_1" xmlns="" viewBox="0 0 109.7 29.02"><defs><style>.cls-1{fill:#fff;}</style></defs><path class="cls-1" d="m5.38,22.85c-3.1-.26-5.3-1.92-5.38-4.8h3.6c.1,1.1.67,1.85,1.78,2.09v-4.58c-2.47-.62-5.38-1.32-5.38-4.87,0-2.83,2.26-4.68,5.38-4.92v-1.94h1.54v1.94c3,.24,5.02,1.85,5.23,4.7h-3.62c-.1-.94-.67-1.66-1.61-1.94v4.54c2.5.65,5.42,1.3,5.42,4.85,0,2.45-1.92,4.73-5.42,4.97v1.94h-1.54v-1.97Zm0-10.25v-4.15c-1.1.17-1.87.84-1.87,2.06,0,1.13.77,1.7,1.87,2.09Zm1.54,3.38v4.2c1.22-.22,1.94-1.06,1.94-2.14s-.82-1.68-1.94-2.06Z"/><path class="cls-1" d="m17.62,8.33h-2.33v-3.1h5.78v17.5h-3.46v-14.4Z"/><path class="cls-1" d="m28.27,17.81c.26,1.39,1.15,2.18,2.71,2.18,1.97,0,2.83-1.46,2.83-5.4-.74,1.03-2.16,1.63-3.7,1.63-3.02,0-5.45-1.9-5.45-5.59,0-3.5,2.21-5.81,5.91-5.81,4.75,0,6.22,3.22,6.22,8.76,0,5.95-1.32,9.17-5.95,9.17-3.72,0-5.5-2.38-5.69-4.94h3.12Zm5.23-7.15c0-1.92-1.1-2.98-2.81-2.98s-2.81,1.18-2.81,2.93c0,1.58.89,2.88,2.93,2.88,1.68,0,2.69-1.13,2.69-2.83Z"/><path class="cls-1" d="m41.28,22.9c-1.22,0-2.09-.86-2.09-1.97s.86-1.97,2.09-1.97,2.04.86,2.04,1.97-.86,1.97-2.04,1.97Z"/><path class="cls-1" d="m49.54,17.81c.26,1.39,1.15,2.18,2.71,2.18,1.97,0,2.83-1.46,2.83-5.4-.74,1.03-2.16,1.63-3.7,1.63-3.02,0-5.45-1.9-5.45-5.59,0-3.5,2.21-5.81,5.91-5.81,4.75,0,6.22,3.22,6.22,8.76,0,5.95-1.32,9.17-5.95,9.17-3.72,0-5.5-2.38-5.69-4.94h3.12Zm5.23-7.15c0-1.92-1.1-2.98-2.81-2.98s-2.81,1.18-2.81,2.93c0,1.58.89,2.88,2.93,2.88,1.68,0,2.69-1.13,2.69-2.83Z"/><path class="cls-1" d="m64.56,17.81c.26,1.39,1.15,2.18,2.71,2.18,1.97,0,2.83-1.46,2.83-5.4-.74,1.03-2.16,1.63-3.7,1.63-3.02,0-5.45-1.9-5.45-5.59,0-3.5,2.21-5.81,5.9-5.81,4.75,0,6.22,3.22,6.22,8.76,0,5.95-1.32,9.17-5.95,9.17-3.72,0-5.5-2.38-5.69-4.94h3.12Zm5.23-7.15c0-1.92-1.1-2.98-2.81-2.98s-2.81,1.18-2.81,2.93c0,1.58.89,2.88,2.93,2.88,1.68,0,2.69-1.13,2.69-2.83Z"/><path class="cls-1" d="m81.79,0h3.29l-6.48,27.07h-3.29L81.79,0Z"/><path class="cls-1" d="m96.89,9.43h3.58l-8.23,19.59h-3.58l2.88-6.62-5.33-12.96h3.77l3.43,9.29,3.48-9.29Z"/><path class="cls-1" d="m105.62,22.73h-3.36v-13.3h3.36v2.06c.84-1.37,2.23-2.26,4.08-2.26v3.53h-.89c-1.99,0-3.19.77-3.19,3.34v6.62Z"/></svg>