To set up a fullchain SSL using your Sectigo SSL certificate in Nginx, follow these steps:
1. Prepare Your Certificate Files
- You should have received the following files from Sectigo:
- Your Domain Certificate (e.g., your_domain.crt)
- Intermediate Certificate(s) (e.g., SectigoRSAOrganizationValidationSecureServerCA.crt)
- Private Key (e.g., your_domain.key)
- Combine your domain certificate and the intermediate certificate(s) into a single fullchain.crt file:
bash$cat your_domain.crt My_CA_Bundle.ca-bundle
AAACertificateServices.crt > fullchain.crt
2. Upload the Files to Your Server
- Upload the following files to your server (e.g., in `/etc/nginx/ssl/`):
- `fullchain.crt`
- `your_domain.key`
3. Configure Nginx
- Edit your Nginx configuration file (usually located at `/etc/nginx/nginx.conf` or `/etc/nginx/sites-available/your_domain.conf`).
- Add or update the `server` block to include the SSL configuration:
```nginx
server {
listen 443 ssl;
server_name your_domain.com;
ssl_certificate /etc/nginx/ssl/fullchain.crt;
ssl_certificate_key /etc/nginx/ssl/your_domain.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
root /var/www/your_domain;
index index.html index.htm;
}
}
```
- If you want to redirect HTTP traffic to HTTPS, add this `server` block:
```nginx
server {
listen 80;
server_name your_domain.com;
return 301 https://$host$request_uri;
}
```
4. Test the Nginx Configuration
- Test the Nginx configuration to ensure there are no syntax errors:
```bash
sudo nginx -t
```
5. Reload Nginx
- If the test is successful, reload Nginx to apply the changes:
```bash
sudo systemctl reload nginx
```
6. Verify the SSL Installation
- Visit your website using `https://your_domain.com` and ensure the SSL certificate is working correctly.
- You can also use tools like [SSL Labs' SSL Test](https://www.ssllabs.com/ssltest/) to verify the installation.
7. Optional: Enable HSTS (HTTP Strict Transport Security)
- To enforce HTTPS and improve security, add the following line inside the `server` block for port 443:
```nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
```
8. Optional: Automate Certificate Renewal
- If your certificate is not auto-renewed, set up a cron job or script to handle renewal and reload Nginx when the certificate is updated.
Check your SSL setup, https://www.sslshopper.com/ssl-checker.html
That's it! Your Nginx server should now be serving your site with the Sectigo SSL certificate.
