Glenn Gillen

Nginx Intermediary SSL Certificates and Passphrases

I've had to do this 3 or 4 times in the past 12 months, and each time I waste a good chunk of time trying to re-discover how to do it. So this post is as much for my own documentation sake as it is sharing the love. If you've ever bought an SSL certificate from GoDaddy or a similar provider that provides and intermediary certificate to include, you might have run into a bit of a problem trying to work out how to include it in your nginx config. Well it's actually pretty straight-forward, provided you remember the steps.

Merging the site and intermediary SSL certificates

First thing you'll need to do is create a new certificate, which is just the one for your site and the intermediary merged together. In Apache you'd specify them both individually. Nginx only allows you to specify one, so lets put them in the same file:

cat rubypond.com.crt >> rubypond.com.crt.merged
cat intermediate_bundle.crt >> rubypond.com.crt.merged

Removing SSL Passphrase

The next step, is to remove the passphrase off the key for the site. I'd love to keep it on, but it means nginx can't be restarted without an operator at the console to enter in the passphrase every time which is definitely less than ideal. So to remove the passphrase from your key, I'll first back it up and then take it off with openssl:

mv rubypond.key rubypond.key.passphrased
openssl rsa -in rubypond.key.passphrased -out rubypond.key

Configuring Nginx to use your new SSL certificate

This config is taken straight from my earlier article on setting up nginx, ssl, and virtual hosts, but I'll include it here just for good measure too:

server {
  listen 443;
  server_name myserver.com;  

  ssl on;
  ssl_certificate /etc/nginx/certs/rubypond.com.crt.merged; 
  ssl_certificate_key /etc/nginx/certs/rubypond.key; 

  # put the rest of your server configuration here.

  location / {
     proxy_set_header X-FORWARDED_PROTO https;

     # put your config here
  }
}

Just be sure to point the certificate entry to the new merged certificate, the key at the now un-passphrased key, and restart nginx. Done.

Glenn Gillen

I'm an advisor to, and investor in, early-stage tech startups. Beyond that I'm an incredibly fortunate husband and father. Working on a developer-facing tool or service? Thinking about starting one? Email me and let me know or come to one of our days to help make it a reality.