Nginx install intermediate certificate
Nginx expects all server
section certificates in a file that you refer with ssl_certificate
. Just put all vendor's intermediate certificates and your domain's certificate in a file. It'll look like this.
-----BEGIN CERTIFICATE-----MII...-----END CERTIFICATE----------BEGIN CERTIFICATE-----MII...-----END CERTIFICATE----------BEGIN CERTIFICATE-----MII...-----END CERTIFICATE-----
To make sure everything is okay and to avoid downtime, I would suggest you to setup Nginx locally, add 127.0.0.1 yourdomain.com
to /etc/hosts
, and try open it from major browsers. When you've verified that everything is correct your can replicate it to the production server.
When you're done, it is a good idea to use some SSL checker tool to verify (e.g. this one). Because pre-installed CA certificates may vary depending on browser and platform, you can easily overlook a misconfiguration checking from one OS or a limited set of browsers.
Edit
As @Martin pointed out, the order of certificates in the file is important.RFC 4346 for TLS 1.1 states:
This is a sequence (chain) of X.509v3 certificates. The sender's certificate must come first in the list. Each following certificate must directly certify the one preceding it.
Thus the order is:
- 1. Your domain's certificate
- 2. Vendor's intermediate certificate that certifies (1)
- 3. Vendor's intermediate certificate that certifies (2)
- ...
- n. Vendor's root certificate that certifies (n-1). Optional, because it should be contained in client's CA store.