Skip to main content

Install an SSL certificate on Ubuntu with Nginx.

Here is the procedure to generate a CSR and install an SSL certificate on Ubuntu with nginx.

Updated over a week ago

Prerequisites

  • Having placed an order for an SSL certificate

Completion of the task: 15 minutes

Expertise: intermediate

How to do it?

Generate the CSR

First, you need to generate the CSR and key for your new SSL certificate.

Log in to your Ubuntu server using an SSH client.

Navigate to the /etc/ssl/ folder:

cd /etc/ssl/

Execute the following OpenSSL command in your terminal. This command will generate both a 2048-bit RSA private key and the CSR. Replace yourdomain.key and yourdomain.csr with the actual domain name you intend to secure (example: funio.com.key, funio.com.csr).

openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr

  • openssl req: The OpenSSL command for certificate requests.

  • -new: Creates a new certificate request.

  • -newkey rsa:2048: Generates a new 2048-bit RSA private key.

  • -nodes: Ensures the private key is not encrypted with a passphrase (essential for Nginx to start without manual intervention).

  • -keyout yourdomain.key: Specifies the output file for your private key.

  • -out yourdomain.csr: Specifies the output file for your CSR.

You will be prompted to enter several details. Provide accurate information as this will be included in your SSL certificate.

  • Country Name (C): Two-letter country code (ex: CA, US).

  • State or Province Name (S): Full name of your state or province (ex: Quebec).

  • Locality Name (L): Full name of your city (ex: Montreal).

  • Organization Name (O): The legal name of your organization (ex: Your Company, Inc.).

  • Organizational Unit Name (OU): Your department within the organization (ex: IT, Web, Sales). This can often be left blank for Domain Validation certificates.

  • Common Name (CN): The fully-qualified domain name (FQDN) you are securing (e.g., www.example.com or *.example.com for a wildcard certificate). This is the most crucial field.

  • Email Address: An optional field for an administrative contact email.

  • A challenge password: Leave this blank by pressing Enter.

  • An optional company name: Leave this blank by pressing Enter.

The yourdomain.csr file will be generated in the directory where you ran the command. You will need to copy the entire contents of this file, including -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST-----, and provide it when you configure your SSL certificate order in your Funio Hub.

The yourdomain.key file is your private key and must be kept secure. Do not share it with anyone. You will need this key later when installing the SSL certificate on Nginx.

Configure your SSL certificate

You now need to complete the SSL certificate order on your Funio Hub. Once you have completed the configuration and approved the SSL certificate, you will receive a copy of the SSL certificate by email in PEM format.

  1. Log in to your Funio Hub, click the Services button, and select the Certificate on the list (click the status).

  2. Click on Configure now on the bottom of the page.

  3. Select cPanel / WHM in the Web Server Type option.

  4. Paste the previously generated CSR into the corresponding field, then press Click to Continue.

  5. Select the validation email that will be used to validate you are the domain owner, then press the button to continue. The email address must not contain www.

  6. Wait a few minutes and check the selected email address's inbox and spam box. You should find an email sent from Globalsign / AlphaSSL requesting a confirmation. Click the link and accept click the I accept button.

  7. The SSL Certificate will be generated and sent to the account email

Install the SSL certificate

Now you need the SSL certificate, the intermediate certificate, and the key that was generated with the CSR.

Log in to your Ubuntu server using an SSH client.

Navigate to the /etc/ssl/ folder:

cd /etc/ssl/

Use vim or nano to create your SSL certificate file:

vi yourdomain.crt

Copy the certificate code received by email, including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. Press the Esc key on your keyboard and then type :wq to save the change.

Follow the same procedure but this time to create the intermediate certificate file which is available here under GlobalSign GCC R6 AlphaSSL CA 2025 by clicking on the View in Base64 button.

vi intermediate.crt

You need to link the two certificates (or “Concatenate” them) into a single file by entering the command below:

cat yourdomain.crt intermediate.crt >> yourdomain-bundle.crt

Now, you need to modify your domain's Nginx virtual host file (/etc/nginx/sites-available/yourdomain.com). Copy the existing server module (the unsecured one) and paste it below the original before adding the following lines:

   listen 443;
     ssl on;
     ssl_certificate /etc/ssl/yourdomain-bundle.crt;                                         ssl_certificate_key /etc/ssl/yourdomain.key;

Like this:

server {
   listen 443;
     ssl on;
     ssl_certificate /etc/ssl/yourdomain-bundle.crt;                                         ssl_certificate_key /etc/ssl/yourdomain.key;
     server_name yourdomain.com;
     access_log /var/log/nginx/nginx.vhost.access.log;
     error_log /var/log/nginx/nginx.vhost.error.log;
     location / {
     root  /home/www/public_html/yourdomain.com/public/;
     index  index.html; 
    } 
    }

Restart Nginx:

systemctl restart nginx

Congratulations! You’ve successfully installed your SSL certificate!

Related Articles
Generating a CSR using cPanel
Install a SSL certificate
SSL Certificate Installation in WHM
SSL Certificate Installation: Apache
CSR creation in IIS 8 & 8.5
Did this answer your question?