Assuming the cert files are not kept open, you could store them in a protected vault with the password in them, place them (copy from vault) where nginx wants them, close vault, start nginx and overwrite/remove the files. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,262900,262912#msg-262912