All Products
Search

This Product

    Certificate Management Service:Install an SSL certificate on an Nginx server (Windows)

    Document Center

    Certificate Management Service:Install an SSL certificate on an Nginx server (Windows)

    Last Updated:Mar 20, 2026

    Unencrypted HTTP traffic exposes your site to data leaks, content tampering, and browser warnings that erode user trust. Installing an SSL certificate on your Windows-based Nginx server enables HTTPS, which encrypts data in transit and displays a trusted lock icon in visitors' browsers.

    Prerequisites

    Before you begin, make sure that you have:

    • A valid SSL certificate issued by a trusted certificate authority (CA). If the certificate is expired or about to expire, renew it first

    • A certificate that matches every domain you want to secure. To add or change domains, purchase a commercial certificate or append and replace domain names

    • The Administrator account or an account with administrator permissions on the server

    • A DNS record that resolves the domain to the server's public IP address

    • Nginx installed on Windows (this guide uses Windows Server 2025 and Nginx 1.28.0 with an installation directory of D:\nginx-1.28.0 as an example)

    Deployment steps may vary depending on the operating system or web server version.

    Domain matching rules

    Certificate type

    Coverage

    Example

    Exact-match

    The specified domain only

    example.com protects only example.com; www.example.com protects only www.example.com

    Wildcard

    First-level subdomains only

    *.example.com protects www.example.com and a.example.com, but not the root domain example.com or multi-level subdomains like a.b.example.com

    To match multi-level subdomains, the Bound Domains field must contain the exact domain (such as a.b.example.com) or a corresponding wildcard (such as *.b.example.com).

    Step 1: Download and upload the certificate

    1. Go to the SSL Certificate Management page. In the Actions column of the target certificate, click Download Certificate. On the Download tab, download the certificate for the Server Type Nginx.

    2. Extract the downloaded package. It contains:

      • A certificate file (.pem)

      • A private key file (.key)

      Important

      If the package does not include a .key file, use the private key you saved locally when you generated the Certificate Signing Request (CSR). If the private key is lost, the certificate is unusable. Purchase a new certificate and generate a new CSR and private key.

    3. Upload both files to a secure directory on your server, outside the Nginx web root. This guide uses D:\cert as the example path.

    Upload files through ECS Workbench

    If your server is an Alibaba Cloud Elastic Compute Service (ECS) instance, follow these steps to transfer the files:

    1. Go to ECS console - Instances. In the top navigation bar, select the target region and resource group.

    2. Locate the target instance. Click Connect and select Sign in now. Log on to the server desktop as prompted.

    3. Click the Start menu and open This PC.

    4. Under Redirected drives and folders, double-click workbench on \*. Drag the certificate files from your local machine into this directory, then right-click the folder and select Refresh.

    5. Copy the certificate files to the D:\cert directory.

    Important

    When you reconnect to or exit the instance, workbench automatically clears all uploaded files from the Redirected drives and folders directory. This directory is for file transfer only -- do not save files here.

    Step 2: Open port 443

    HTTPS uses TCP port 443. Make sure this port is open in both the cloud security group and the Windows Firewall.

    Open port 443 in the security group

    Important

    If your server runs on a cloud platform, its security group must allow inbound access on TCP port 443. Otherwise, HTTPS is unreachable from the internet. The following steps use Alibaba Cloud ECS as an example.

    1. Go to the ECS instance page, select the region of the target instance, and click the instance name to open its details page.

    2. Click Security Groups > Internal Inbound Rules and verify that a rule exists with the following settings:

      Setting

      Value

      Action

      Allow

      Protocol Type

      TCP

      Destination Port Range

      HTTPS (443)

      Authorization Object

      Anywhere (0.0.0.0/0)

    3. If no such rule exists, add a security group rule with these settings.

    Open port 443 in Windows Firewall

    1. Log on to the Windows server. Click the Start menu and open Control Panel.

    2. Go to System and Security > Windows Firewall > Check firewall status.

    3. If the firewall is off, no further action is needed.

    4. If the firewall is on:

      1. In the left navigation pane, click Advanced settings > Inbound Rules. Check for a rule where the Protocol is TCP, the Local Port is 443, and the Action is Block.

      2. If such a rule exists, right-click it and select Properties. On the General tab, change the setting to Allow the connection and click Apply.

    Step 3: Configure Nginx for HTTPS

    Open the Nginx configuration file. The default path is D:\nginx-1.28.0\conf\nginx.conf.

    Add an HTTPS server block

    Add a new server block that listens on port 443 with SSL enabled. Specify the certificate and private key paths:

    server {
    listen 443 ssl;
    server_name yourdomain.com www.yourdomain.com;

    # Certificate and private key paths (replace with your actual paths)
    ssl_certificate D:\\cert\\example.com.pem;
    ssl_certificate_key D:\\cert\\example.com.key;

    location / {
        proxy_pass http://127.0.0.1:8000;
    }
}
    The .pem file should include both the server certificate and intermediate certificate(s), with the server certificate first. If they are in separate files, concatenate them. On Windows, use PowerShell:If the order is wrong, Nginx fails to start with an error like SSL_CTX_use_PrivateKey ... key values mismatch.

    (Optional) Tune SSL settings

    Nginx 1.28.0 defaults to TLSv1.2 and TLSv1.3, which are secure. However, older Nginx versions may accept TLSv1.0 and TLSv1.1 by default. To ensure consistent security across all versions, explicitly configuring ssl_protocols is recommended for production environments. See Going live for details. To customize SSL behavior, add these directives inside the server block:

    # Session cache and timeout (improves performance by reusing SSL sessions)
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;

# TLS protocol versions (TLSv1.2 and TLSv1.3 are recommended)
ssl_protocols TLSv1.2 TLSv1.3;

# Cipher suite configuration
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;

# Prefer the server's cipher order
ssl_prefer_server_ciphers on;

    (Optional) Redirect HTTP to HTTPS

    To automatically redirect all HTTP traffic to HTTPS, replace the contents of your port 80 server block with a redirect:

    server {
    listen 80;
    server_name yourdomain.com www.yourdomain.com;
    return 301 https://$host$request_uri;
}

    The 301 status code signals a permanent redirect. $host preserves the requested domain, and $request_uri preserves the path and query string.

    Validate and reload

    1. Open Command Prompt, navigate to the Nginx installation directory, and test the configuration: If the output shows syntax is ok and test is successful, the configuration is valid. Otherwise, fix the errors reported in the output.

         .\nginx.exe -t

    2. Reload Nginx to apply the changes:

         .\nginx.exe -s reload

    Step 4: Verify the deployment

    1. Open a web browser and go to https://yourdomain.com (replace with your actual domain).

    2. If a lock icon appears in the address bar, the certificate is deployed successfully.

      Starting from Chrome 117, the lock icon has been replaced with a tune icon. Click this icon to view certificate details.

    3. If the lock icon does not appear or the page is inaccessible, clear the browser cache or try again in incognito mode.

    If the issue persists, see FAQ for troubleshooting.

    Going live

    When deploying to production, follow these practices to strengthen security and reliability:

    • Run as a non-administrator user. Create a dedicated, low-privilege system user for the application. Never run the application under an administrator account.

      Consider deploying the SSL certificate on a Server Load Balancer (SLB) at the gateway layer. The SLB terminates HTTPS traffic and forwards decrypted HTTP traffic to backend servers, offloading the cryptographic workload.

    • Externalize credential management. Never hard-code passwords or secrets in code or configuration files. Use environment variables, a vault, or a cloud key management service.

    • Enforce HTTPS redirection. Redirect all HTTP traffic to HTTPS to prevent man-in-the-middle attacks.

    • Disable insecure TLS versions. In the Nginx configuration, set ssl_protocols TLSv1.2 TLSv1.3; to disable SSLv3, TLSv1.0, and TLSv1.1.

    • Monitor certificate expiration. Enable domain monitoring so that Alibaba Cloud checks validity and sends renewal reminders before expiration. See Purchase and enable public domain name monitoring.

    FAQ

    Why is HTTPS inaccessible after installing the certificate?

    Check these common causes in order:

    1. Port 443 is blocked. Verify that the security group and Windows Firewall allow inbound TCP traffic on port 443. See Step 2: Open port 443.

    2. Domain mismatch. The domain in the browser does not match the certificate's Bound Domains. See Domain matching rules.

    3. Nginx was not reloaded. Run .\nginx.exe -s reload after modifying nginx.conf.

    4. Wrong certificate paths. Confirm that ssl_certificate and ssl_certificate_key point to the correct, up-to-date files.

    5. Certificate missing on intermediate services. If the domain passes through Content Delivery Network (CDN), Server Load Balancer (SLB), or Web Application Firewall (WAF), install the certificate on those services too. See Certificate deployment locations when traffic passes through multiple Alibaba Cloud services.

    6. Incomplete multi-server deployment. If the domain's DNS resolves to multiple servers, install the certificate on all of them.

    For further troubleshooting, see Resolve certificate deployment issues based on browser error messages and SSL certificate deployment troubleshooting guide.

    How do I update or replace an existing SSL certificate?

    1. Back up the existing certificate (.pem) and private key (.key) files on the server.

    2. Download the new certificate from the Certificate Management Service console.

    3. Upload the new files to the server, overwriting the old ones. Keep the file paths and names identical to what nginx.conf references.

    4. Reload Nginx: .\nginx.exe -s reload.

    How do I disable TLSv1.0 and TLSv1.1?

    Some browsers show a "certificate does not meet standards" warning when older TLS versions are enabled. To disable them:

    1. Open nginx.conf and locate the server block for port 443.

    2. Set the ssl_protocols directive to ssl_protocols TLSv1.2 TLSv1.3;.

    3. Save the file and run .\nginx.exe -s reload.

    Why does Nginx fail to start with bind() to 0.0.0.0:443 failed?

    Another process is already using port 443. To resolve this:

    1. Identify the process using the port:

         netstat -ano | findstr ":443"

    2. The last column in the output shows the Process ID (PID) of the conflicting process.

    3. Stop the conflicting process using Task Manager or by stopping the corresponding application (such as another web server).

    4. Start or reload Nginx again.

    Why does my browser show a mixed content warning instead of a lock icon?

    A Mixed Content warning appears when an HTTPS page loads resources (images, scripts, or stylesheets) over HTTP. To fix this:

    1. Inspect the page source (HTML, CSS, and JavaScript).

    2. Find any hardcoded http:// URLs in tags like <img>, <link>, and <script>.

    3. Change them to https://, or use protocol-relative URLs (//example.com/asset.js) or root-relative paths (/images/logo.png).