Skip to content
QCecuring

Nginx

Nginx Integration

Section titled “Nginx Integration”

Deploy TLS certificates to Nginx servers and automate renewal using SSL-CLM.

Prerequisites

Section titled “Prerequisites”
  • SSL-CLM Agent installed on the Nginx server
  • Agent registered and active in the SSL-CLM dashboard
  • Nginx configured with TLS (existing or new)

Step 1 — Configure Certificate Store

Section titled “Step 1 — Configure Certificate Store”

Navigate to:

Configuration → Certificate Stores → New Store

Configure:

  • Type: File System (PEM)
  • Certificate Path: /etc/nginx/ssl/cert.pem
  • Key Path: /etc/nginx/ssl/key.pem
  • Chain Path: /etc/nginx/ssl/chain.pem (optional)
  • Agent: Select the agent running on the Nginx server

Step 2 — Configure Post-Deploy Hook

Section titled “Step 2 — Configure Post-Deploy Hook”

Add a post-deployment command to reload Nginx after certificate update:

Terminal window
nginx -t && systemctl reload nginx

This ensures Nginx validates the new configuration before reloading.

Step 3 — Nginx TLS Configuration

Section titled “Step 3 — Nginx TLS Configuration”

Ensure your Nginx server block references the managed certificate paths:

server {
    listen 443 ssl http2;
    server_name example.com;


    ssl_certificate     /etc/nginx/ssl/cert.pem;
    ssl_certificate_key /etc/nginx/ssl/key.pem;
    ssl_trusted_certificate /etc/nginx/ssl/chain.pem;


    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;


    ssl_stapling on;
    ssl_stapling_verify on;
}

Step 4 — Enroll or Import Certificate

Section titled “Step 4 — Enroll or Import Certificate”

Either:

  • Enroll a new certificate through SSL-CLM’s enrollment workflow
  • Import an existing certificate and assign it to the Nginx certificate store

The agent will deploy the certificate files and reload Nginx automatically.

Step 5 — Verify Deployment

Section titled “Step 5 — Verify Deployment”

Check that the certificate is deployed:

Terminal window
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -subject -dates

Automated Renewal

Section titled “Automated Renewal”

SSL-CLM monitors certificate expiry and triggers renewal automatically:

  1. Renewal job is created based on policy (e.g., 30 days before expiry)
  2. New certificate is issued from the configured CA
  3. Agent deploys the new certificate to the configured paths
  4. Post-deploy hook reloads Nginx
  5. Old certificate is archived

Troubleshooting

Section titled “Troubleshooting”
IssueSolution
Certificate not updatingCheck agent status in dashboard. Verify file permissions on cert paths.
Nginx fails to reloadCheck nginx -t output. Ensure cert and key match.
Agent not connectingVerify mTLS configuration. Check firewall rules for agent → platform.
Wrong certificate servedClear Nginx cache. Check for duplicate server blocks.