All Products
Search

This Product

    Certificate Management Service:Install an SSL certificate on an Nginx server (Windows)

    Document Center

    Certificate Management Service:Install an SSL certificate on an Nginx server (Windows)

    Last Updated:Nov 18, 2025

    Transmitting data over unencrypted HTTP poses security risks, such as data leaks and content tampering. It can also cause browsers to mark your site as Not Secure, which erodes user trust. Installing an SSL certificate on an Nginx server for Windows enables HTTPS, which secures data in transit and enhances your website's security and credibility. This topic shows you how to install an SSL certificate on an Nginx server in Windows and verify that HTTPS works correctly.

    Usage notes

    Before you begin, make sure that you meet the following requirements:

    • Certificate status: You have an SSL certificate issued by a trusted certificate authority. If the certificate is about to expire or has expired, you must first renew the SSL certificate.

    • Domain name matching: Make sure that the certificate matches all domain names that you want to secure. To add or modify domain names, you can Purchase a commercial certificate or Append and replace domain names.

      • Exact-match domain name: Applies only to the specified domain.

        • example.com protects only example.com.

        • www.example.com protects only www.example.com.

      • Wildcard domain name: Applies only to its first-level subdomains.

        • *.example.com applies to first-level subdomains such as www.example.com and a.example.com.

        • *.example.com does not protect the root domain example.com or multi-level subdomains such as a.b.example.com.

      Note

      To match multi-level subdomains, the Bound Domains field must contain the exact domain, such as a.b.example.com, or a corresponding wildcard domain, such as *.b.example.com.

    • Server permissions: You must use the Administrator account or an account with administrator permissions.

    • Domain name resolution: The domain's DNS record is configured and resolves to the server's public IP address.

    • Environment dependencies: This topic uses Windows Server 2025 and Nginx 1.28.0 as an example. The example installation directory for Nginx is D:\nginx-1.28.0.

      Note

      Deployment steps may vary depending on the operating system or web server version.

    Procedure

    Step 1: Prepare the SSL certificate

    1. Go to the SSL Certificate Service page. In the Actions column of the target certificate, click Download Certificate. On the Download tab, download the certificate for the Server Type Nginx.

    2. Unzip the downloaded certificate package:

      • If the package contains a certificate file (.pem) and a private key file (.key), save both files. You will need them for deployment.

      • If the package contains only a certificate file (.pem) and not a private key file (.key), you must deploy the certificate with the private key file that you saved locally.

        Note

        If you used a tool such as OpenSSL or Keytool to generate a Certificate Signing Request (CSR) file when applying for a certificate, the private key file was saved only on your local machine. The downloaded certificate package does not include the private key. If the private key is lost, the certificate is unusable. You must purchase a commercial certificate again and generate a new CSR and private key.

    3. Upload the unzipped certificate file and private key file to your server. Store them in a secure external directory. The example path used in this topic is D:\cert.

      Note

      The following steps use an Alibaba Cloud Elastic Compute Service (ECS) as an example. For other server types, refer to their official documentation.

      1. Go to ECS console - Instances. In the top navigation bar, select the target region and resource group.

      2. Locate the target instance. Click Connect and select Sign in now. Log on to the server desktop as prompted.

      3. In the lower-left corner of the server, click the Start menu. Find and open This PC.

      4. Under Redirected drives and folders, double-click workbench on ***. Drag the certificate file from your local machine into this directory, and then right-click the folder and select Refresh.image

      5. Copy the certificate files to the D:\cert directory.

        Important

        When you reconnect to or exit the instance, workbench automatically clears all uploaded files from the Redirected drives and folders directory to save space. This directory is for file transfer only. Do not save your files here.

    Step 2: Configure the system and network environment

    1. Open port 443 in the security group.

      Important

      If your server is deployed on a cloud platform, make sure that its security group allows inbound access on TCP port 443. Otherwise, the service cannot be accessed from the Internet. The following steps use Alibaba Cloud ECS as an example. For other cloud platforms, see their official documentation.

      1. Go to the ECS instance page, select the region where the target ECS instance is located, and click the instance name to go to the instance details page.

      2. Click Security Group > All Intranet Inbound Rules, and make sure that a rule exists with the following settings: Authorization Policy is set to Allow, Protocol Type is TCP, Destination Port Range is HTTPS (443), and Authorization Object is set to Anywhere (0.0.0.0/0).

      3. If the preceding rule does not exist, see Add a security group rule to add the corresponding rule to the target security group.

    2. Open port 443 in the server firewall.

      1. Log on to the Windows server, click the Start menu in the lower-left corner, and open Control Panel.

      2. Click System And Security > Windows Firewall > Check Firewall Status.

      3. If the firewall is off, as shown in the following figure, no further action is required.image

      4. If the firewall is on, follow these steps to allow the HTTPS rule.

        1. In the left navigation pane, click Advanced Settings > Inbound Rules, and check for an inbound rule where the Protocol is TCP, the Local Port is 443, and the Action is Block.

        2. If such a rule exists, right-click it and select Properties. On the General tab, change the setting to Allow The Connection and click Apply.

        3. For more information about firewall configurations, see Configure firewall rules.

    Step 3: Deploy the certificate on the Nginx server

    1. Open the Nginx configuration file (nginx.conf) to add the certificate details (the example path is D:\nginx-1.28.0\conf\nginx.conf).

      1. Add a server block that listens on port 443.

        Duplicate the existing server block for port 80 to create a new one for HTTPS. Change its listening port to listen 443 ssl and add the SSL certificate configuration, including the ssl_certificate and ssl_certificate_key directives. Keep all other directives unchanged.

        # Original server block listening on port 80.
server {
    listen 80;
    server_name yourdomain.com www.yourdomain.com;
    
    # Other configurations.
    location / {
        proxy_pass http://127.0.0.1:8000;
    }
}

# Copy the existing server block for port 80 to create a new server block.
server {
    # Change the original listen 80 to listen 443 ssl.
    listen 443 ssl;
    # Original server_name. You can add more domain names supported by this certificate.
    server_name yourdomain.com www.yourdomain.com;
    
    # ======================= Certificate configuration starts =======================
    # Specify the certificate file (the intermediate certificate can be concatenated into this .pem file). Replace the following path with the absolute path of your certificate file.
    ssl_certificate D:\\cert\\example.com.pem;
    # Specify the private key file. Replace the following path with the absolute path of your private key file.
    ssl_certificate_key D:\\cert\\example.com.key;
    # Configure the SSL session cache to improve performance.
    ssl_session_cache shared:SSL:1m;
    # Set the SSL session timeout period.
    ssl_session_timeout 5m;
    # Customize the TLS protocol types and cipher suites to use (the following is an example configuration; evaluate whether you need to configure it).
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    # Specify the allowed TLS protocol versions. Higher TLS versions provide better security for HTTPS communication, but have poorer browser compatibility than lower TLS versions.
    ssl_protocols TLSv1.2 TLSv1.3;
    # Prioritize the server-side specified cipher suites
    ssl_prefer_server_ciphers on;
    # ======================= Certificate configuration ends =======================
   
    # Other configurations.
}

      2. Optional: Set up automatic redirection from HTTP to HTTPS. Add the rewrite directive to the original server block that listens on port 80.

        server {
    listen 80;
    # Enter the domain name bound to the certificate
    server_name <YOURDOMAIN>;
    # Redirect all HTTP requests to HTTPS using the rewrite directive.
    rewrite ^(.*)$ https://$host$1;
    location / {
        index index.html index.htm;
    }
}

      3. Run the following command to validate the configuration changes. If the output shows syntax is ok and test is successful, the configuration is valid. Otherwise, correct the configuration based on the error messages.

        .\nginx.exe -t

    2. Reload the Nginx service.

      Open the Windows command line, navigate to the Nginx installation directory, and run the following command.

      .\nginx.exe -s reload

    Step 4: Verify the deployment

    1. Access your domain over HTTPS in a web browser. For example, https://yourdomain. Replace yourdomain with your actual domain.

    2. If a lock icon appears in the browser's address bar, the certificate is deployed successfully. If you encounter access errors or the lock icon does not appear, clear your browser cache or try again in incognito (privacy) mode.

      image

      Starting from version 117, the image icon in the Chrome address bar has been replaced with a new image icon. Click this icon to view the lock information.

    Note

    If the issue persists, see FAQ for troubleshooting.

    Going live

    When you deploy to a production environment, follow these best practices to enhance security, stability, and maintainability:

    • Run as a non-administrator user:

      Create a dedicated, low-privilege system user for the application. Never run the application with an account that has administrator privileges.

      Note

      A recommended approach is to configure SSL at the gateway layer. This involves deploying the certificate on a Server Load Balancer (SLB). The gateway terminates the HTTPS traffic and forwards the decrypted HTTP traffic to the backend application.

    • Externalize credential management:

      Never hard-code passwords or other sensitive information in your code or configuration files. Use environment variables, Vault, or a cloud provider's key management service to inject credentials.

    • Enforce HTTP to HTTPS redirection:

      Redirect all HTTP traffic to HTTPS to prevent man-in-the-middle attacks.

    • Configure modern TLS protocols:

      Disable old and insecure protocols (such as SSLv3, TLSv1.0, and TLSv1.1) in your server configuration. Enable only TLSv1.2 and TLSv1.3.

    • Monitor certificates and automate renewal:

      After you deploy the certificate, enable domain monitoring. Alibaba Cloud automatically checks the certificate validity period and sends renewal reminders before expiration to help you renew in a timely manner and avoid service interruption. For detailed instructions, see Purchase and enable public domain name monitoring.

    FAQ

    Why is my certificate not working or HTTPS inaccessible after installation or update?

    This issue is often caused by one of the following configuration problems. Check them in order:

    • Port 443 blocked: The server's security group or firewall does not have port 443 open. See Configure the system and network environment.

    • Domain mismatch: The domain you are accessing is not listed in the certificate's Bound Domains. See Domain name match.

    • Nginx not reloaded: The Nginx service was not reloaded after the Nginx configuration file was modified. See Reload the Nginx service.

    • Incorrect certificate configuration: The certificate file was not replaced correctly, or the certificate path is not correctly specified in the Nginx configuration. Make sure that the Nginx configuration file and the certificate file in use are the latest and valid.

    • Missing certificate on other services: If your domain uses services such as a Content Delivery Network (CDN), Server Load Balancer (SLB), or Web Application Firewall (WAF), the certificate must also be installed on those services. See Certificate deployment locations when traffic passes through multiple Alibaba Cloud services to complete the setup.

    • Incomplete deployment on multiple servers: If your domain's DNS resolves to multiple servers, the certificate must be installed on all of them.

    How do I correctly update or replace an existing SSL certificate on an Nginx server?

    To update an SSL certificate on Nginx, you need to replace the old certificate and private key files with the new ones and then reload the Nginx service.

    1. Back up your existing certificate (.pem) and private key (.key) files on the server.

    2. Download the new certificate files from the Certificate Management Service console.

    3. Upload the new files to your server, overwriting the old ones. Ensure the file paths and names remain identical to what is specified in your nginx.conf.

    4. Reload the Nginx service to apply the changes by running .\nginx.exe -s reload from the Nginx installation directory.

    How do I disable TLSv1.0 and TLSv1.1 in Nginx to prevent some browsers from showing a "certificate does not meet standards" warning?

    You can disable insecure TLS protocols by modifying the ssl_protocols directive in your Nginx configuration to include only modern, secure versions.

    1. Open your nginx.conf file and locate the server block for your HTTPS site (listening on port 443).

    2. Find or add the ssl_protocols directive and set it ssl_protocols TLSv1.2 TLSv1.3;.

    3. Save the file and run .\nginx.exe -s reload to apply the settings.

    Why does my Nginx server fail to start or reload with a bind() to 0.0.0.0:443 failed error on Windows?

    This error means that another process is already using port 443, which Nginx is trying to bind to. This is a port conflict issue.

    1. To identify the process using port 443, open Command Prompt or PowerShell and run: netstat -ano | findstr ":443".

    2. The output will show the Process ID (PID) of the conflicting service in the last column.

    3. Stop the conflicting service. You can use Task Manager to end the task by its PID or stop the corresponding application (such as another web server).

    4. Once port 443 is free, try starting or reloading Nginx again.

    After enabling HTTPS on my Nginx server, why does my browser show a Mixed Content warning instead of a secure lock icon?

    A Mixed Content warning occurs when an HTTPS page attempts to load resources (such as images, scripts, or stylesheets) over an insecure HTTP connection. To fix this, you must ensure that all resources are loaded via HTTPS.

    1. Inspect your website's source code (HTML, CSS, and JavaScript).

    2. Search for any hardcoded http:// links in tags such as <img>, <link>, and <script>.

    3. Update these links to use https:// or, preferably, use protocol-relative URLs (such as //example.com/asset.js) or root-relative paths (such as /images/logo.png).