This page describes the process of updating your SSL certificate if you are already using it and it has expired. If you need to perform an initial certificate installation (switch your website from HTTP to HTTPS), refer to "SSL certificate installation" page in "Administration" section.
Any SSL certificate has an expiration date, which means that it can get out of date and therefore require re-issuing and updating on your server.
On this page we will explain SSL certificates update process. This is a fairly simple operation that does not require advanced system administration skills.
Navixy platform uses a web server called Nginx. In order to update the SSL certificates your website uses, you need to look in the Nginx config to see where the current certificate and private key files are located, and simply replace them with new ones.
You need more than just a certificate for the web server to work properly. You must have a private key file that matches the certificate. Without a correct private key, the web server will not be able to start. Both the certificate and the private key are provided by your SSL certificate authority.
Nginx configuration for your website is located at the path below. Read the file contents with any text editor.
/etc/nginx/sites-available/navixy.conf
Inside you can see lines like this:
ssl_certificate /etc/nginx/ssl/certificate.crt;
ssl_certificate_key /etc/nginx/ssl/private.key;
This means that the certificate files are located at /etc/nginx/ssl/.
The path can also be shortened to ssl/certificate.crt if the files are in the above directory. Both are correct.
Nginx configuration for your website is located at the path below. Read the file contents with any text editor.
C:\nginx\conf\sites-enabled\navixy.conf
Inside you can see lines like this:
ssl_certificate /ssl/certificate.crt;
ssl_certificate_key /ssl/private.key;
The /ssl/ entry here is short for C:\nginx\conf\ssl. It is recommended to use this path, but if your certificates are located in a different folder, you need to specify the full path in the config file.
You may have several domains configured on your platform. The most common case is separate domains for API, admin panel, and user interface. In this case, the Nginx configuration will have several blocks starting with server. The path to the certificate is specified in each block.
Please note! You need either a separate certificate for each domain name, or a wildcard certificate (for *.domain.com) to work with all third-level domains.
It is highly recommended to give the new certificate and private key files the same name as the old files and place them in the same location.
If the name or path are different, be sure to make changes to the Nginx configuration.
SSL certificate chain of trust
The certificate file(s) must contain a full chain of trust. This means that the contents of the certificate must include not only the body of the primary certificate you plan to install, but also an intermediate certificate, a root certificate, or any combination of these, depending on the certificate issuer.
Such a certificate is called a full chain certificate.
Make sure that the certificate you issue contains this chain of trust, otherwise some features, such as mobile applications, might not work.
If you have trouble building the full chain, contact the certificate issuer. You can also use some online tools to resolve the chain of trust, such as this one.
If you want to learn more about the chain of trust, you can read an explanation on one of the SSL issuer sites.
Private key requirement
The main requirement for private key is that it must match the SSL certificate, otherwise Nginx web server will not be able to start. Typically, private key is provided by the certificate issuer along with the certificate. If you re-issue a certificate from the same authority, private key often stays the same and does not need to be replaced.
You can additionally match the certificate with the private key using online tools, such as this one.