To ensure that your website is securely running it needs to have https enabled. This short tutorial will list steps necessary to secure NGINX server with a free Class 1 certificate from StartSSL.


1. You have a server running NGINX
2. You have already setup free account with StartSSL
3. You have validated your domain with StartSSL

Prep Work:

Download the StartSSL CA Certificate using wget:

Download the StartSSL Intermediate CA Certificate using wget:

Create a unified CA Certificate file:
cat >> ca.pem


Private key and Website Certificate

Use the StartSSL™ Control Panel to create a private key and certificate and transfer them to your server.

My naming convention:
Private key:

Then execute the following steps:

Decrypt the private key by using the password you entered when you created your key:
openssl rsa -in -out

Secure your key:
chmod 600

Create a single file containing your signed certificate and the StartSSL CA certificates for Nginx:

cat ca.pem >

Configure your nginx server to use the new key and certificate (in the global settings or a server section):

ssl on;
ssl_certificate /etc/nginx/conf/;
ssl_certificate_key /etc/nginx/conf/;

Reload nginx config or restart the service.
And you’re done!

cURL: Adding, Installing and Trusting Self-Signed Certificate

On several occasions I run into issues with curl and self-signed certs (i.e. WordPress plugins not working – BackWPup or OwnCloud WebDav errors)

The solution is to add the self-signed cert to ca-certificates:

1. Establish openSSL directory, then change directory to that folder and list the content:

no we change to the Certs directory and list the content again looking for symlinks to the location where the certs are actually stored:

change to directory and add your certificate.

Next  run

nano /etc/ca-certificates.conf

and add location to the added certificate. Now execute:

update-ca-certificates –fresh

and to test that evertying is OK issue:


this should list the code of the website.