Install SSL on Nginx

Combine your certificate files into a fullchain and configure your Nginx server block for HTTPS.

Before You Begin

You will need these three files from your SSL certificate download:

certificate.crtYour SSL certificate
private.keyYour private key - keep this secure
ca_bundle.crtCA bundle (intermediate certificates)

Installation Steps

  1. Create a combined fullchain file

    Nginx requires the certificate and CA bundle in a single file.

    cat certificate.crt ca_bundle.crt > fullchain.crt
  2. Upload files to the server

    Copy the combined certificate and private key to the server.

    /etc/nginx/ssl/fullchain.crt
    /etc/nginx/ssl/private.key
  3. Configure server block

    Edit your Nginx server block to enable SSL.

    server {
    listen 443 ssl http2;
    server_name yourdomain.com www.yourdomain.com;

    ssl_certificate /etc/nginx/ssl/fullchain.crt;
    ssl_certificate_key /etc/nginx/ssl/private.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;

    root /var/www/html;
    }
  4. Test and reload

    Test the configuration and reload Nginx.

    sudo nginx -t
    sudo systemctl reload nginx

Common Issues

SSL_ERROR_RX_RECORD_TOO_LONG
This usually means the fullchain.crt starts with the CA bundle instead of your certificate. Ensure you run cat certificate.crt ca_bundle.crt > fullchain.crt in that exact order - certificate first, then bundle.
No such file or directory for ssl directory
The /etc/nginx/ssl/ directory does not exist by default. Create it first with sudo mkdir -p /etc/nginx/ssl before copying your certificate files.
Permission denied on private.key
Lock down the private key file so only root can read it: sudo chmod 600 /etc/nginx/ssl/private.key && sudo chown root:root /etc/nginx/ssl/private.key

Frequently Asked Questions

Unlike Apache, Nginx combines the certificate and intermediate CA certificates in one ssl_certificate directive. You must concatenate them manually with cat certificate.crt ca_bundle.crt > fullchain.crt.

Add a separate server block listening on port 80:
server {
    listen 80;
    server_name yourdomain.com;
    return 301 https://$host$request_uri;
}

reload applies configuration changes without dropping active connections. restart fully stops and starts Nginx. Use reload for most config changes; only use restart if you changed something that requires a full process restart.

Certificate Installed? Set Up Expiry Monitoring.

Get an email reminder 14 days before your certificate expires - free, no account needed.