Nginx is a popular webserver second to Apache2. How do you install self-signed certificates for it?
SSL/TLS certificate is mechanism that allows private communication between two network devices. It’s a protocol that enable secure communication between webservers and web clients.
When it comes to SSL/TLS implementations, there are basically two types of certificates. One signed by trusted certificate authority and the other is a self-signed certificate.
This lesson 48 tutorial shows students and new users how to create self-signed certificates and install on Nginx webservers.
Step 1: Installing Nginx Webserver
Before you can install a self-signed certificate for Nginx, you must first install Nginx webserver. To do that, run the commands below:
sudo apt-get update
sudo apt-get install nginx
Step 2: Creating Self-signed certificates
When you can’t install a trusted certificate from a CA, you may get by with a self-signed certificates. Both trusted and self-signed use the same security strength, the only difference is, one is trusted by a third party and the other is not
When you’re ready, run the commands below to generate the server private key as well as the self-signed SSL/TLS certificate.
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
Creating a private key file will prompted to answer few questions like the ones below. Complete the question and both the key and certificate will be created.
Generating a 2048 bit RSA private key
writing new private key to 'mydomain.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Minnesota
Locality Name (eg, city) :Minneapolis
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Blog Company
Organizational Unit Name (eg, section) :SSL
Common Name (e.g. server FQDN or YOUR name) :example.com
Email Address :email@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password : leave blank
An optional company name :
When you’re done above, the private key will be stored in /etc/ssl/private/ folder and the key callednginx-selfsigned.key.
The certificate will be store in /etc/ssl/certs/ folder and the certificate called nginx-selfsigned.crt.
Step 3: Installing the certificate
After generating the certificate, the next step will be to install it on Nginx server. To do that, open Nginx config file in Ubuntu and add the lines below. Make sure to include it in the server block of the file and save it.
sudo nano /etc/nginx/sites-enabled/default
listen 443 default_server;
listen [::]:443 ssl default_server;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
After making the changes above, run the commands below to test your settings.
sudo nginx -t
If you don’t see any error messages then you’re good. Restart nginx web server by running the commands below.
sudo systemctl restart nginx
To and browse to the server via hostname or IP using https and you’ll get a certificate warning because it’s a self-signed.