Nginx correct SSL Certificate order

httpsnginxssl

I got the following files:

priv.key // This is my priv key and contains one —–BEGIN ENCRYPTED
PRIVATE KEY—– section
req.csr // This is my certificate request file
cert.pem // This is my certificate I got back per mail and contains one —–BEGIN CERTIFICATE—– section
cacert_sha1.crt // this is the root CA I think
chain.txt // dont know whats that for but must be usefull according to some tutorials 🙂

I tried a lot of stuff and combined the files in a lot of different ways to new .pem files. But I always get a not signed error from the browser when I surf to the website

I always restarted nginx after changing my config.

Does anyone knows how to combine in the correct order/way? Are this all files I need ?

Thanks 🙂

Best Answer

The ssl_certificate_key directive specifies your private key (that's your priv.key file).

The ssl_certificate directive specifies a file containing a concatenation of your signed certificate (which you call cert.pem), the Certificate Authority and zero or more chain files.

The certificate signing request is not used by nginx.

Care is required when concatenating the certificate files. Your certificate should be first. Also, there is a lot of extra junk in those chain files and I don't know if it gets ignored. You might want to edit the junk out.

See this document for more.

Related Solutions

Nginx – use the same SSL certificate for smtp, imap, pop3 and http

The short answer is that yes a single certificate can be used for all those services.

The key and certificate can be stored in many formates, and using the openssl tool you can convert your key and certificate to other formats.

The real barrier is can you get a certificate that is valid for all the names that you wish to use. For your web you might want to use www.example.com, and for your mail you might want to use mail.example.com. You can get a wildcard or SAN certificate that will cover lots of names, but these cost more. It may be cheaper to get a couple individual certificates. The prices for different certs are different, so take some time and work out which will be cheaper in your case.

Ssl – Heroku SSL: Pem is invalid / Key doesn’t match the Pem certificate

I think I may have run into a similar issue when attempting to use a Gandi certificate on Heroku. Heroku kept on complaining that my PEM file didn't match my key, and running openssl x509 -noout -modulus -in example.com.crt gave me an "unable to load certificate" error.

The issue in my case was very simple: when I downloaded the certificate from Gandi, there was an extra blank line between the certificate text and the "--END CERTIFICATE..." line:

ghjg86GHHJ47Nmmmaiuoj8bUW8bbn/9w78sTxuguHQWjhuhuQWQhuybyyA==

-----END CERTIFICATE-----

When I deleted the blank line, everything worked perfectly:

ghjg86GHHJ47Nmmmaiuoj8bUW8bbn/9w78sTxuguHQWjhuhuQWQhuybyyA==
-----END CERTIFICATE-----

I think when you create the final PEM file that you want to concatenate your certificate and your CA's certificate, not your certificate and your private key:

cat example.com.crt certificate-issuer.com.pem > example.com.pem

Finally, I found http://blog.bloom.io/2011/09/16/https-ssl-table-stakes/ very helpful with the whole process.

Best Answer

Related Solutions

Nginx – use the same SSL certificate for smtp, imap, pop3 and http

Ssl – Heroku SSL: Pem is invalid / Key doesn’t match the Pem certificate

Related Topic