How to Install SSL Certificate on Nginx

A comprehensive guide to installing and configuring SSL certificates on Nginx web servers.

Table of Contents

Prerequisites

Before installing an SSL certificate on Nginx, ensure you have:

  • Nginx installed and running
  • Root or sudo access to the server
  • Domain name pointing to your server
  • SSL certificate files:
    • Certificate file (.crt)
    • Private key file (.key)
    • Certificate chain file (if applicable)
Note: These instructions assume you're using a Linux-based system.

Obtaining SSL Certificate

You can obtain an SSL certificate through several methods:

Certificate Options
  • Let's Encrypt (Free): Using Certbot automation tool
  • Commercial CA: Purchase from trusted providers
  • Self-signed: For testing/development only

Installing SSL Certificate

Follow these steps to install your SSL certificate:

  1. Create a directory for certificates: 
    sudo mkdir -p /etc/nginx/ssl/example.com
  2. Copy certificate files: 
    sudo cp example.com.crt /etc/nginx/ssl/example.com/
sudo cp example.com.key /etc/nginx/ssl/example.com/
sudo cp chain.crt /etc/nginx/ssl/example.com/
  3. Set proper permissions: 
    sudo chmod 600 /etc/nginx/ssl/example.com/*

Configuring Nginx

Use our configuration generator to create your Nginx SSL configuration:

Configuration Generator
Generated Configuration
server {
    listen 443 ssl http2;
    server_name example.com;

    ssl_certificate /etc/nginx/ssl/example.com/example.com.crt;
    ssl_certificate_key /etc/nginx/ssl/example.com/example.com.key;
    ssl_trusted_certificate /etc/nginx/ssl/example.com/chain.crt;

    # Modern SSL configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    add_header Strict-Transport-Security "max-age=63072000" always;

    location / {
        root /var/www/html;
        index index.html;
    }
}
Important: Always backup your configuration before making changes.

Testing Configuration

Verify your SSL configuration:

  1. Test Nginx configuration: 
    sudo nginx -t
  2. Reload Nginx: 
    sudo systemctl reload nginx
  3. Verify SSL installation:
    • Visit https://example.com
    • Check certificate details in browser
    • Use SSL testing tools (e.g., SSLLabs)

Troubleshooting

  • Certificate not found: Verify file paths and permissions
  • Invalid certificate: Check certificate chain order
  • SSL handshake failure: Verify protocol and cipher configuration
  • Mixed content warnings: Update internal links to HTTPS

Best Practices

  • Security:
    • Use strong SSL protocols (TLSv1.2, TLSv1.3)
    • Implement HSTS
    • Regular security audits
  • Maintenance:
    • Monitor certificate expiration
    • Keep Nginx updated
    • Regular configuration reviews

Automating with Certbot

Use Certbot for automated SSL management:

Certbot Installation and Usage
# Install Certbot
sudo apt update
sudo apt install certbot python3-certbot-nginx

# Obtain and install certificate
sudo certbot --nginx -d example.com

# Auto-renewal test
sudo certbot renew --dry-run
Tip: Certbot automatically configures Nginx and sets up auto-renewal.

Certellix is an independent service. We are not affiliated with any commercial certificate authority.

Privacy Policy
Terms of Service
Refund Policy
Contact Us