From August 19th 2020, SECTIGO issues SSL certificates with a maximum lifetime of 398 days (13 months) as specified by CA/Browser consortium. SSL certificates with a longer lifetime must be re-issued annually (free of charge). You'll receive reminders via e-mail. SSL certificates issued before August 19th 2020 remain valid until their planned expiry date. Code Signing & S/MIME certificates are not affected and remain valid until their planned expiry date.

GEOTRUST RapidSSL: Installing SSL certificates including intermediate (ca_bundle) certificate on nginx

Note: When placing your CSR inside the MY INTERSSL account, please choose server type "apache/mod_SSL" in case "nginx" isn't available as an option.

 

Example paragraph from nginx/conf/gitlab-http.conf


listen *
:443 ssl;

server_name git.b-nm.at;
 
ssl_certificate /var/opt/gitlab/nginx/ssl/git.b-nm.at.crt.ca.pem;
ssl_certificate_key /var/opt/gitlab/nginx/ssl/git.b-nm.at.key;
ssl_protocols TLSv1 TLSv1.TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;


Important: as nginx only allows to specify one file for the SSL certificate, you need to copy the .CRT file and the .CA_BUNDLE (=intermediate certificate) together using a text editor, so that the full intermediate certificate chain is available in this file, to be used with the ssl_certificate statement inside the config file.



ssl_certificate example for RapidSSL:

-----BEGIN CERTIFICATE-----
.
.
.
. **** CONTENTS OF YOUR SSL CERTIFICATE *****
.
.
.
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIETTCCAzWgAwIBAgIDAjpxMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVTMRYwFAYDVQQK
Ew1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9iYWwgQ0EwHhcNMTMxMjExMjM0
NTUxWhcNMjIwNTIwMjM0NTUxWjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5j
LjEbMBkGA1UEAxMSUmFwaWRTU0wgU0hBMjU2IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAu1jBEgEul9h9GKrIwuWF4hdsYC7JjTEFORoGmFbdVNcRjFlbPbFUrkshhTIWX1SG5tmx
2GCJa1i+ctqgAEJ2sSdZTM3jutRc2aZ/uyt11UZEvexAXFm33Vmf8Wr3BvzWLxmKlRK6msrVMNI4
/Bk7WxU7NtBDTdFlodSLwWBBs9ZwF8w5wJwMoD23ESJOztmpetIqYpygC04q18NhWoXdXBC5VD0t
A/hJ8LySt7ecMcfpuKqCCwW5Mc0IW7siC/acjopVHHZDdvDibvDfqCl158ikh4tq8bsIyTYYZe5Q
Q7hdctUoOeFTPiUs2itP3YqeUFDgb5rE1RkmiQF1cwmbOwIDAQABo4IBSjCCAUYwHwYDVR0jBBgw
FoAUwHqYaI2J+6sFZAwRfap9ZbjKzE4wHQYDVR0OBBYEFJfCJ1CewsnsDIgyyHyt4qYBT9pvMBIG
A1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgEGMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6
Ly9nMS5zeW1jYi5jb20vY3Jscy9ndGdsb2JhbC5jcmwwLwYIKwYBBQUHAQEEIzAhMB8GCCsGAQUF
BzABhhNodHRwOi8vZzIuc3ltY2IuY29tMEwGA1UdIARFMEMwQQYKYIZIAYb4RQEHNjAzMDEGCCsG
AQUFBwIBFiVodHRwOi8vd3d3Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvY3BzMCkGA1UdEQQiMCCk
HjAcMRowGAYDVQQDExFTeW1hbnRlY1BLSS0xLTU2OTANBgkqhkiG9w0BAQsFAAOCAQEANevhiyBW
lLp6vXmp9uP+bji0MsGj21hWID59xzqxZ2nVeRQb9vrsYPJ5zQoMYIp0TKOTKqDwUX/N6fmS/Zar
RfViPT9gRlATPSATGC6URq7VIf5Dockj/lPEvxrYrDrK3maXI67T30pNcx9vMaJRBBZqAOv5jUOB
8FChH6bKOvMoPF9RrNcKRXdLDlJiG9g4UaCSLT+Qbsh+QJ8gRhVd4FB84XavXu0R0y8TubglpK9Y
Ca81tGJUheNI3rzSkHp6pIQNo0LyUcDUrVNlXWz4Px8G8k/Ll6BKWcZ40egDuYVtLLrhX7atKz4l
ecWLVtXjCYDqwSfC2Q7sRwrp0Mr82A==
-----END CERTIFICATE-----

Was this answer helpful?

 Print this Article

Also Read

Tomcat CSR generation and CRT import (Java Keystore .JKS), Matrify, GlassFish, Wildfly ...

keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore www.domain.com.jks keytool...

Microsoft IIS: multi-domain SSL on a single IP. Setting up host headers for IIS with SAN

How to configure SSL host headers in Microsoft IIS...

Requesting SSL certificates and SSL installation for all-inkl.com customers

All-inkl.com enables customers to install InterSSL certificates. You can find a tutorial here...

Converting .CRT (X.509) to .P7B (PKCS#7) file format

Windows:    Instrunctions for Microsoft Windows (Symantec Knowlegde Base) Linux: openssl...

How long does it take until HTTP based authentication is verified?

Typically HTTP-based authentication will be done within a couple of minutes. If you think the...