Create this destination to install the issued certificates as the server TLS certificate of an Nginx web server. Note that:

• On certificate issuance, Certificate Manager ignores any user-provided CSR and uses instead a CSR generated at the destination along with the key pair. 
• On renewal, the operating system timestamp may remain the same, but the contents of the certificate are always updated.

See below for how to create an Nginx web server destination.

To create an Nginx web server destination in Certificate Manager

1. If not already installed, install Python 3.9 or newer on the Nginx web server. 
2. Log in as an administrator with one of the following roles:
   • The global_admin role.
   • A <user_defined> role with permission to create destinations.
3. Go to Automate > Destinations.
4. Click Create to configure the following settings.  
   • Label
   • Owner
   • Description
   • Authorization Tags
   • Select Destination Type
   • Host
   • User
   • Password
   • Private Key File
   • Private Key Password
   • Certificate Destination
   • Backup path
   • Retain Backup files
   • Is sudo access required?
   • Sudo password
   • Restart the Nginx web server
   • HTTPS Port

5. Click Verify to check the connection with the destination.

6. Check the fingerprint of the host key displayed after the verification.

7. If you trust the key, click Create to confirm the destination creation. 

Label

A descriptive name of the destination.

Owner

The username of the destination owner. 

Description

A description of the destination purpose.

Authorization Tags

A list of authorization tags. The Custom Roles with any of these tags will grant permissions on the source.

Select Destination Type

Select the following value.

Host

The hostname or IP address of the machine hosting the web server.

User

The username for opening an SSH session in the machine hosting the web server. 

Password

The user password for opening an SSH session in the machine hosting the web server. Skip this optional parameter if the user will authenticate with a private key.

Private Key File

Click Select File to import a keystore containing the user's private key. Skip this optional parameter if the user will authenticate with a password.

Private Key Password

The password of the keystore containing the user's private key. Skip this optional parameter if the user will authenticate with a password.

Certificate Destination

The path of the certificate and the key in the machine hosting the Nginx web server, Select default to publish the certificate and the key in the following default paths.

Select customized to set the certificate and key path in the following fields.

• Destination Certificate Path
• Destination Key Path

Backup path

The folder to back up the certificate and the private key until they are successfully deployed. 

• The certificate is backed up in the following file. 
  <backup-path>/<uuid>/backup/backup_cert_<YYYYMMDDHHMMSS>.pem
• The private key is backed up in the following file. 
  <backup-path>/<uuid>/backup/key_cert_<YYYYMMDDHHMMSS>.pem

Where:

• <backup-path> is the path entered in the Backup path field.
• <uuid> is a timestamp-based UUID that changes with each issuance backup. 
• <YYYYMMDDHHMMSS> is a timestamp in YYYYMMDDHHMMSS format.

Mandatory: No. This optional parameter defaults to the /tmp folder, which the operating system periodically purges.

Retain Backup files

Check this box to retain the backup files of old keys and certificates, even after successfully deploying the new ones and restarting the server.

Is sudo access required?

Check this box if pushing the certificate and the key in the destination requires sudo access.

Sudo password

The password of a user with sudo permission. 

Mandatory: When Is sudo access required? is checked,

Restart the Nginx web server

Yes to restart the web server after pushing the certificate and the key, No otherwise.

HTTPS Port

The TLS port of the host machine.

Mandatory: When Restart the  Nginx  server is Yes.