…on life, the universe, and everything

SSL Certificates are Miserable

So... I was tasked with setting up https for a website recently. I was setting up Nginx with an ssl certificate from thawte.

Pretty normal. Pretty standard. Pretty aweful.

Here's to helping the next guy get through the process quicker than I did.


Before you start. Don't use a browser or openssl to test your config. It will waste your time and make you unhappy.

Use this tool to test your ssl config:

Certificate Signing Requests (*.csr), PEM Files, Intermediary Certificates, root CACertificate, Secondary Certificate BS, and more

You should know Apache and several other web servers expect your ssl certificate to be in a separate file from the intermediary certificates Like this example http.conf

# your key file (often called www.example.com.key or privatekey.pem)
SSLCertificateKeyFile /www/certs/ssl.fictional.co.key

# your ssl certificate (often called www.example.com.crt or certificate.pem)
SSLCertificateFile /www/certs/ssl.fictional.co.cert

#intermediary certificates (often a *.crt or *.pem file)
SSLCACertificateFile /www/certs/CA.cert

ok great... but some other web servers expect your intermediary certificates to be concatenated with your ssl certificate (i.e. the one you paid for). So open up notepad and copy/paste that CA.cert into the end of your ssl.fictional.co.cert and hit save.

What about Nginx?

now your nginx config for ssl (documentation here) will look like this:

http {
  server {
    listen 443;
    ssl on;

    # this file contains the ssl.fictional.co.cert AND CA.cert from
    # the apache example
    ssl_certificate /usr/local/nginx/conf/cert.pem;

    # this file corresponds to the ssl.fictional.co.key from the apache example
    ssl_certificate_key /usr/local/nginx/conf/cert.key;


Conclusion. SSL…
is a pain in the ass.