This is a guide to updating SSL certification on a Linux webserver running Nginx as a proxy.
Obtain necessary files
Cert.pfx or similar.
- The GoDaddy certificate bundle of type "G2 With Cross to G1, includes Root". This is typically called gd_bundle-g2-g1.crt and can be downloaded from https://certs.godaddy.com/repository or retrieved directly from the Linux command line (see below).
Configure the required certificate file within a Linux shell
Export the client certificate from the .PFX file
- Copy the Cert.pfx file to the Linux working directory.
- Enter the following command to export the client certificate from the .PFX file (specifying no private keys). A password response may be required, typically "password":
- openssl pkcs12 -in Cert.pfx -clcerts -nokeys -out new_mysite.crt
Obtain the GoDaddy certificate bundle from GoDaddy
- Either download the gd_bundle-g2-g1.crt file via a browser and transfer it to the Linux working directory or enter the following command to download it:
Or convert a P7B bundle file (for example gd-g2_iis_intermediates.crt)
- openssl pkcs7 -print_certs -in gd-g2_iis_intermediates.p7b -out gd-g2_iis_intermediates.crt
Add the GoDaddy bundle to the client certificate file
- Enter the following command to append the GoDaddy file to the end of the new client certificate:
- cat ./gd_bundle-g2-g1.crt >>./new_mysite.crt
- cat ./gd-g2_iis_intermediates.crt >>./new_mysite.crt
Configure the required RSA key file within a Linux shell
(Refer also to: https://www.openssl.org/docs/man1.0.2/apps/rsa.html)
Export a private key from the .PFX file
- Enter the following command to export a private key from the .PFX file (specifying no certificates and no des private key encryption). A password response may be required, typically "password":
- openssl pkcs12 -in Cert.pfx -nocerts -nodes -out new_mysite_priv.key
Create an RSA version of the private key
- Enter the following command to convert the private key to RSA format:
- openssl rsa -in new_mysite_priv.key -out new_mysite_rsa.key
Install the new certification and restart Nginx
- The path to the certificate files is /etc/nginx/keys and is defined in /etc/nginx/conf.d/default.conf.
Install new files
- Enter the following commands to copy the new files over the existing ones and restart the Nginx server process (note use of sudo to avoid permission problems):
- sudo bash -c "cp ./new_mysite.crt /etc/nginx/keys/mysite.crt"
- sudo bash -c "cp ./new_mysite_rsa.key /etc/nginx/keys/mysite.key"
- sudo service nginx restart