Nginx SSL Certificate Installation Guide

⏰ 10 min read -  Difficulty: Intermediate - Nginx on Ubuntu / Debian / CentOS
✓ Prerequisites
  • Root or sudo access to your server
  • Nginx installed and running
  • A valid SSL certificate (CRT/PEM), private key, and CA bundle files
  • Your domain DNS pointing to the server IP

Table of Contents

  1. Prepare your certificate files
  2. Upload certificates to the server
  3. Create the certificate chain
  4. Configure the Nginx server block
  5. Test and reload Nginx
  6. Force HTTPS redirect
  7. Verify the SSL installation

1 Prepare your certificate files

Organize the files you received from your SSL provider

After purchasing and validating your SSL certificate, your provider will send you a ZIP file or email containing the following files:

your_domain.crtYour primary certificate file
your_domain.keyYour private key (keep this secret)
ca_bundle.crtIntermediate / root CA certificate chain
Important: Never share your .key file. It should only exist on your server in a protected directory.
 

2 Upload certificates to the server

Transfer files and set correct directory permissions

Create a dedicated directory for your SSL files:

bash
sudo mkdir -p /etc/nginx/ssl/yourdomain.com sudo chmod 700 /etc/nginx/ssl/yourdomain.com

Upload your certificate files from your local machine using SCP:

bash (run from your local machine)
scp your_domain.crt your_domain.key ca_bundle.crt user@your_server_ip:/etc/nginx/ssl/yourdomain.com/

Set correct permissions on each file:

bash
sudo chmod 600 /etc/nginx/ssl/yourdomain.com/your_domain.key sudo chmod 644 /etc/nginx/ssl/yourdomain.com/your_domain.crt sudo chmod 644 /etc/nginx/ssl/yourdomain.com/ca_bundle.crt
 

3 Create the certificate chain

Combine your certificate with the CA bundle

Nginx requires a single chained certificate file that combines your domain certificate and the CA bundle:

bash
cat /etc/nginx/ssl/yourdomain.com/your_domain.crt /etc/nginx/ssl/yourdomain.com/ca_bundle.crt > /etc/nginx/ssl/yourdomain.com/chained.crt
ⓘ The order matters. Your domain certificate must come first, followed by the CA bundle.
 

4 Configure the Nginx server block

Edit your virtual host configuration to enable SSL

Open your Nginx server block configuration file. It is usually located at /etc/nginx/sites-available/yourdomain.com or inside /etc/nginx/conf.d/

bash
sudo nano /etc/nginx/sites-available/yourdomain.com

Add or update the server block with the following SSL configuration:

nginx config
server { listen 443 ssl; listen [::]:443 ssl; server_name yourdomain.com www.yourdomain.com; ssl_certificate /etc/nginx/ssl/yourdomain.com/chained.crt; ssl_certificate_key /etc/nginx/ssl/yourdomain.com/your_domain.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; root /var/www/yourdomain.com; index index.php index.html; location / { try_files $uri $uri/ =404; } }

Replace yourdomain.com and the root path to match your actual domain and web root directory.

5 Test and reload Nginx

Validate configuration syntax before applying changes

Always test your configuration for syntax errors before reloading. A misconfiguration can bring down your web server.

bash
sudo nginx -t

If the output shows syntax is ok and test is successful, reload Nginx:

bash
sudo systemctl reload nginx
⚠ If the test fails, review your config file carefully. Check for missing semicolons, incorrect file paths, or typos in directive names.
 

6 Force HTTPS redirect

Automatically redirect all HTTP traffic to HTTPS

Add a second server block in the same config file to redirect HTTP (port 80) to HTTPS:

nginx config
server { listen 80; listen [::]:80; server_name yourdomain.com www.yourdomain.com; return 301 https://$host$request_uri; }

Save the file, then test and reload Nginx:

bash
sudo nginx -t && sudo systemctl reload nginx
 

7 Verify the SSL installation

Confirm your certificate is active and valid

Use the following command to check your certificate details directly from the server:

bash
echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -dates -subject

You can also verify online using any SSL checker tool. Your browser should now show a padlock icon when visiting your domain over HTTPS.

✓ Your SSL installation is successful if:
  • Browser shows a padlock icon on your domain
  • https://yourdomain.com loads without any security warnings
  • http:// automatically redirects to https://
  • SSL checker shows no chain errors and correct expiry date
nginx ssl https certificate linux server security whmcs
  • SSL Certificate, SSL, wildcard ssl certificate
  • 0 用戶發現這個有用
這篇文章有幫助嗎?