Nginx Intermediary SSL Certificates and Passphrases

Aug 11, 2008

I've had to do this 3 or 4 times in the past 12 months, and each time I waste a good chunk of time trying to re-discover how to do it. So this post is as much for my own documentation sake as it is sharing the love. If you've ever bought an SSL certificate from GoDaddy or a similar provider that provides and intermediary certificate to include, you might have run into a bit of a problem trying to work out how to include it in your nginx config. Well it's actually pretty straight-forward, provided you remember the steps.

Merging the site and intermediary SSL certificates

First thing you'll need to do is create a new certificate, which is just the one for your site and the intermediary merged together. In Apache you'd specify them both individually. Nginx only allows you to specify one, so lets put them in the same file:

cat rubypond.com.crt >> rubypond.com.crt.merged
cat intermediate_bundle.crt >> rubypond.com.crt.merged

Removing SSL Passphrase

The next step, is to remove the passphrase off the key for the site. I'd love to keep it on, but it means nginx can't be restarted without an operator at the console to enter in the passphrase every time which is definitely less than ideal. So to remove the passphrase from your key, I'll first back it up and then take it off with openssl:

mv rubypond.key rubypond.key.passphrased
openssl rsa -in rubypond.key.passphrased -out rubypond.key

Configuring Nginx to use your new SSL certificate

This config is taken straight from my earlier article on setting up nginx, ssl, and virtual hosts, but I'll include it here just for good measure too:

server {
  listen 443;
  server_name myserver.com;  

  ssl on;
  ssl_certificate /etc/nginx/certs/rubypond.com.crt.merged; 
  ssl_certificate_key /etc/nginx/certs/rubypond.key; 

  # put the rest of your server configuration here.

  location / {
     proxy_set_header X-FORWARDED_PROTO https;
     # put your config here
  }
}

Just be sure to point the certificate entry to the new merged certificate, the key at the now un-passphrased key, and restart nginx. Done.

Hi, I'm Glenn! 👋 I've spent most of my career working with or at startups. I'm currently the Director of Product @ Ockam where I'm helping developers build applications and systems that are secure-by-design. It's time we started securely connecting apps, not networks.

Previously I led the Terraform product team @ HashiCorp, where we launched Terraform Cloud and set the stage for a successful IPO. Prior to that I was part of the Startup Team @ AWS, and earlier still an early employee @ Heroku. I've also invested in a couple of dozen early stage startups.