Setup SSL using .PFX file on nginx/apache2
A pfx file is password protected certificate archive which contains your certificate and the private key.
Certificate extensions can be confusing since there's so many different ones (.crt, .cert, .key, .pem, .csr, etc.). Personally I use the same extensions (.crt and .key) as nginx https documentation.
domain.tld.keyThe private decrypted RSA key file for the certificate. (ssl_certificate_key)
domain.tld.crtThe certificate file for the domain (without)
bundle.crtThe certificate file for the issuer
domain.tld.chained.crtThe concatted file which consists of
Get the .key file
Extract the encrypted key using:
openssl pkcs12 -in certfile.pfx -nocerts -out domain.tld.encrypted.key
Decrypt the encrypted key using:
openssl rsa -in domain.tld.encrypted.key -out domain.tld.key
domain.tld.encrypted.key file since we won't need it.
Get the .crt file
Get your domain certificate using:
openssl pkcs12 -in certfile.pfx -clcerts -nokeys -out domain.tld.crt
Get your CA certificate using:
openssl pkcs12 -in certfile.pfx -cacerts -out bundle.crt
Concat the 2 .crt files into a chained.crt:
cat domain.tld.crt bundle.crt > domain.tld.chained.crt
Move the certificate
Move the files to the server in the dir
/etc/ssl/private/ and make sure to secure the files by setting these permissions:
sudo chmod 600 domain.tld.* sudo chown root:root domain.tld.*
Update your webserver configuration for your site and add these to the sites you want HTTPS on.
# nginx ssl on; ssl_certificate /etc/ssl/private/domain.tld.chained.crt; ssl_certificate_key /etc/ssl/private/domain.tld.key; # apache2 conf SSLEngine on SSLCertificateFile /etc/ssl/private/domain.tld.chained.crt SSLCertificateKeyFile /etc/ssl/private/domain.tld.key
Remember to reload the service, or restart if it's a new site.
Checking your SSL
Test your certificate via https://www.ssllabs.com/ssltest/ and https://www.sslshopper.com/ssl-checker.html
Key and certificate in one file
You can move the .key into the .crt file, and then point to the same for for the
ssl_certificate_key. This works for both nginx and apache2.
Personally I like to have them seperate, to make it more clear, but I can understand why some would merge them to only have one file.
Renaming the files
I recommend adding the expire year to the certificates, like
domain.tld.2020-2022.key. Where 2020-2022 is the valid years, so next time it would be
2022-2024. This will make it very easy to see which sites are using which certificates.