Chaining intermediate certificates for Nginx

I always use startssl.com to get free authentication certificates. It’s a little clunky to use, but it’s free and that makes it awesome. When it comes time to configure Nginx to use my new certificates, I always forget what to do. These instructions are adapted from here.

Having successfully followed the instructions at startssl.com, you’ll wind up with these four files:

  1. ca.pem
  2. ssl.crt
  3. ssl.key
  4. sub.class1.server.ca.pem

I like to put these all in a directory and zip ‘em up for transport to the production server. Assuming that they’ve all been saved to a directory named for your URL (e.g., example.com/):

1
2
tar -zcvf example.com.tar.gz example.com
scp example.com.tar.gz you@example.com:~

Then, from the production machine, untar the file:

1
2
3
ssh you@example.com
tar -zxvf example.com.tar.gz
cd example.com/

Decrypt the private key with the password you entered at startssl.com.

1
openssl rsa -in ssl.key -out example.com.key

The unencrypted private key is not something you want to show off. Make it so only root can read it:

1
2
chmod 400 example.com.key
sudo chown root:root example.com.key

Nginx needs the startssl.com intermediate certificate concatenated to the public certificate:

1
cat ssl.crt sub.class1.server.ca.pem > example.com.crt

The private key has been decrypted and the public key concatenated. Supposing you have an Nginx server directive that looks like this:

1
2
3
4
5
6
server {
listen 443 default_server ssl;
ssl_certificate /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
# ...
}

We need to move the public and private keys into the directory specified (/etc/nginx/ssl/).

1
2
sudo mv example.com.crt /etc/nginx/ssl/
sudo mv example.com.key /etc/nginx/ssl/

Restart your Nginx server and your certificates should be ready to go.