Step-by-Step Guide: Migrating SSL Certificates from Apache to NGINX Server Configuration


2 views

When transferring SSL certificates between web servers, you'll need to locate these three critical files:

  • Certificate file (usually .crt or .pem)
  • Private key file (usually .key)
  • Certificate Authority bundle (CA bundle, often .ca-bundle or .intermediate.crt)

On a typical Apache installation, you can find these files in:

/etc/apache2/ssl/
/usr/local/apache2/conf/ssl/
/etc/httpd/conf/ssl/

Check your Apache configuration to confirm paths:

grep -r "SSLCertificateFile" /etc/apache2/
grep -r "SSLCertificateKeyFile" /etc/apache2/
grep -r "SSLCertificateChainFile" /etc/apache2/

Here's the basic NGINX server block configuration for SSL:

server {
    listen 443 ssl;
    server_name example.com;
    
    ssl_certificate /etc/nginx/ssl/example.com.crt;
    ssl_certificate_key /etc/nginx/ssl/example.com.key;
    
    # For certificate chains
    ssl_trusted_certificate /etc/nginx/ssl/example.com.ca-bundle;
    
    # Additional SSL optimization parameters
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384...';
}

If your Apache certificate uses different formats, these OpenSSL commands will help:

Convert PKCS#7 to PEM:

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem

Convert DER to PEM:

openssl x509 -inform der -in certificate.der -out certificate.pem

NGINX expects the server certificate followed by intermediate certificates in a single file:

cat example.com.crt example.com.ca-bundle > combined.crt

Then reference it in NGINX config:

ssl_certificate /etc/nginx/ssl/combined.crt;

After configuration, verify your setup:

nginx -t
openssl s_client -connect example.com:443 -servername example.com -showcerts

Check for mixed content errors and proper certificate chain with:

curl -vI https://example.com
sslscan example.com

If using Let's Encrypt with Certbot, migration is simpler:

certbot --nginx -d example.com

Or manually specify Apache certificates:

certbot --nginx --cert-name example.com
  • Set proper permissions for certificate files (600 for private key)
  • Verify certificate chain is complete
  • Check certificate expiration dates
  • Consider implementing OCSP stapling in NGINX
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/ssl/chain.pem;

When transferring SSL certificates between web servers, you'll need to identify these key files:

# Typical Apache SSL configuration files:
- certificate.crt (or .pem) - The public certificate
- private.key - The private key
- ca_bundle.crt - Intermediate certificates (if applicable)

First, find where Apache stores your SSL configuration. Common locations include:

# Common Apache SSL paths:
/etc/httpd/conf/ssl.conf
/etc/apache2/sites-available/default-ssl.conf
/usr/local/apache2/conf/extra/httpd-ssl.conf

Look for these directives in your Apache config:

SSLCertificateFile /path/to/your_domain.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/CA_Bundle.crt

NGINX requires the certificate and private key in specific formats:

# For single certificate:
cat your_domain.crt CA_Bundle.crt > combined.crt

# For wildcard certificates:
cat wildcard_domain.crt intermediate.crt > combined.crt

Here's a basic NGINX configuration template:

server {
    listen 443 ssl;
    server_name yourdomain.com;
    
    ssl_certificate /etc/nginx/ssl/combined.crt;
    ssl_certificate_key /etc/nginx/ssl/private.key;
    
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    
    # Other server configuration...
}

Before restarting NGINX, test your configuration:

nginx -t

If successful, reload NGINX:

systemctl reload nginx

Use these tools to verify your SSL installation:

openssl s_client -connect yourdomain.com:443 -servername yourdomain.com

Or use online tools like SSL Labs' SSL Test.

If you encounter problems:

# Permission issues:
chmod 600 /etc/nginx/ssl/private.key
chmod 644 /etc/nginx/ssl/combined.crt

# SELinux contexts (for RHEL/CentOS):
chcon -R -t etc_t /etc/nginx/ssl/

For Let's Encrypt certificates, modify your renewal script:

# Sample certbot post-renewal hook for NGINX:
#!/bin/bash
cat /etc/letsencrypt/live/yourdomain.com/fullchain.pem \
    /etc/letsencrypt/live/yourdomain.com/chain.pem > \
    /etc/nginx/ssl/combined.crt
cp /etc/letsencrypt/live/yourdomain.com/privkey.pem \
    /etc/nginx/ssl/private.key
systemctl reload nginx