What do you need help with?

We are here and ready to help.
Email: servicedesk@socfortress.co

    Import a new Root CA and Replace Digital Certificates (NGINX – Internal Reverse Proxy)

    Juan Romero

    14-Feb-2026

    Import a new Root CA and Replace Digital Certificates (NGINX – Internal Reverse Proxy)

    Supported Certificate Format

    File extension: .crt

    Encoding: PEM (Base64, begins with -----BEGIN CERTIFICATE-----)

    If your cert is .cer or .pem, that’s fine — Debian treats them the same once placed correctly.

    All actions below to be executed as root

     

     

    cp my-root-ca.crt /usr/local/share/ca-certificates/

     

    Important notes

    Use /usr/local/share/ca-certificates/ for custom / internal CAs

    Filename must end in .crt

    Do not place custom certs directly in /etc/ssl/certs

    Execute:

    update-ca-certificates

    Expected output:

    Updating certificates in /etc/ssl/certs...

    1 added, 0 removed; done.

     

    Change Digital certificates in NGINX Virtual Hosts (Grafana as an example below):

     

    1) Save the existing vhost file as grafana.conf_saved (same folder)

    cp -a /etc/nginx/sites-available/grafana.conf /etc/nginx/sites-available/grafana.conf_saved

     

    -a preserves perms/ownership/timestamps (good practice for config backups).

     

     

    2) Update the vhost to use the new cert + private key

    2.1 Put the new cert/key in the right places (recommended)

    On Debian, convention is:

    certs in /etc/ssl/certs/

    private keys in /etc/ssl/private/ (should be root-only readable)

    cp -a mynewcert.pem /etc/ssl/certs/mynewcert.pem

    cp -a mynewcertkey.pem /etc/ssl/private/mynewcertkey.pem

     

    2.2 Lock down permissions on the private key (important)

    chown root:root /etc/ssl/private/mynewcertkey.pem

    chmod 600 /etc/ssl/private/mynewcertkey.pem

     

    (Leave the cert file readable; the key should not be.)

    2.3 Edit the vhost config to point at the new files

    Open the file:

    nano /etc/nginx/sites-available/grafana.conf

     

    Change these two lines:

    ssl_certificate     /etc/ssl/certs/mynewcert.pem;

    ssl_certificate_key /etc/ssl/private/mynewcertkey.pem;

     

    Save/exit.

     

     

    3) Test nginx config and reload/restart

    3.1 Syntax test first

    nginx -t

    You want:

    syntax is ok

    test is successful

     

    3.2 Reload (preferred; no full restart)

    systemctl reload nginx

     

    3.3 Restart (only if reload fails or you want a hard bounce)

    systemctl restart nginx

     

    3.4 Quick status check

    systemctl status nginx --no-pager

     

     

     

    Next: Repeat for all other vHosts in NGINX

    Facebook Share Tweet

    Was this article helpfu?

    Yes No

    Thank you for voting

    Comments

    ×
    Select company

    You are related to multiple companies. Please select the company you wish to login as.