27

I'm trying to install an intermediate certificate on Nginx ( laravel forge ). Right now the certificate is properly installed, just the intermediate that is missing.

I've seen that I need to concatenate the current certificate with the intermediate. What is the best/safest way to add the intermediate certificate.

Also, if the install of the intermediate failed, can I just roll back to the previous certificate, and reboot nginx? ( the website site is live, so I can't have a too long downtime )

Flash-Square
  • 391
  • 1
  • 4
  • 10

2 Answers2

63

Nginx expects all server section certificates in a file that you refer with ssl_certificate. Just put all vendor's intermediate certificates and your domain's certificate in a file. It'll look like this.

-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----

To make sure everything is okay and to avoid downtime, I would suggest you to setup Nginx locally, add 127.0.0.1 yourdomain.com to /etc/hosts, and try open it from major browsers. When you've verified that everything is correct your can replicate it to the production server.

When you're done, it is a good idea to use some SSL checker tool to verify (e.g. this one). Because pre-installed CA certificates may vary depending on browser and platform, you can easily overlook a misconfiguration checking from one OS or a limited set of browsers.

Edit

As @Martin pointed out, the order of certificates in the file is important. RFC 4346 for TLS 1.1 states:

This is a sequence (chain) of X.509v3 certificates. The sender's certificate must come first in the list. Each following certificate must directly certify the one preceding it.

Thus the order is:

  • 1. Your domain's certificate
  • 2. Vendor's intermediate certificate that certifies (1)
  • 3. Vendor's intermediate certificate that certifies (2)
  • ...
  • n. Vendor's root certificate that certifies (n-1). Optional, because it should be contained in client's CA store.
Community
  • 1
  • 1
saaj
  • 23,253
  • 3
  • 104
  • 105
  • 6
    Please note that the order is important, see https://serverfault.com/questions/476576/how-to-combine-various-certificates-into-single-pem/476620#476620 – Martin Sep 01 '16 at 17:10
  • I tried this method but my nginx isn't reloading, and is throwing the error no ssl_certificate_key given. Please explain this – Kartik Nigam Apr 23 '19 at 17:55
4

Letsencrypt: fullchain.pem

Same trouble for me. I was using Letsencrypt and, in my Nginx configuration, I needed to NOT use this:

ssl_certificate      /etc/letsencrypt/live/domain.tld/cert.pem;
ssl_certificate_key   /etc/letsencrypt/live/domain.tld/privkey.pem;

But use this:

ssl_certificate      /etc/letsencrypt/live/domain.tld/fullchain.pem;
ssl_certificate_key   /etc/letsencrypt/live/domain.tld/privkey.pem;
Jesse
  • 750
  • 1
  • 9
  • 25
  • 1
    Nice! That worked. However I am trying to set up OCSP stapling and I don't know which file I shall use for ssl_trusted_certificate. Can somebody help me out? – france1 Jul 11 '22 at 18:29
  • @france1 Probably to `full_chain.pem` https://support.globalsign.com/ssl/ssl-certificates-installation/nginx-enable-ocsp-stapling & https://sectigo.com/knowledge-base/detail/Enable-OCSP-Stapling-on-NGINX-1527076084670/kA01N000000zFJk. – Jesse Jul 11 '22 at 23:32
  • 1
    I didn't have to add ssl_trusted_certificate because fullchain.pem was already specified in ssl_certificate - it works now :) – france1 Jul 12 '22 at 13:40
  • @france1 I think that was the issue for me also, with the same conclusion – Jesse Jul 12 '22 at 14:44