Installing Self-Signed SSL/TLS Certificates for Nginx

This brief tutorial shows students and new users how to install self-signed SSL/TLS certificates on Nginx web server.

SSL/TLS certificate is mechanism that allows private communication between two network devices. It’s a protocol that enable secure communication between webservers and web clients.

When it comes to SSL/TLS implementations, there are basically two types of certificates. One signed by trusted certificate authority and the other is a self-signed certificate.

This lesson 48 tutorial shows students and new users how to create self-signed certificates and install on Nginx webservers.

Step 1: Installing Nginx Webserver

Before you can install a self-signed certificate for Nginx, you must first install Nginx webserver. To do that, run the commands below:

sudo apt-get update
sudo apt-get install nginx

More about Nginx can be found from this post below:

 Step 2: Creating Self-signed certificates

When you can’t install a trusted certificate from a CA, you may get by with a self-signed certificates. Both trusted and self-signed use the same security strength, the only difference is, one is trusted by a third party and the other is not

When you’re ready, run the commands below to generate the server private key as well as the self-signed SSL/TLS certificate.

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

Creating a private key file will prompted to answer few questions like the ones below. Complete the question and both the key and certificate will be created.

Generating a 2048 bit RSA private key
writing new private key to 'mydomain.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Minnesota
Locality Name (eg, city) []:Minneapolis
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Blog Company
Organizational Unit Name (eg, section) []:SSL
Common Name (e.g. server FQDN or YOUR name) []
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: leave blank
An optional company name []:

When you’re done above, the private key will be stored in /etc/ssl/private/ folder and the key called nginx-selfsigned.key.

The certificate will be store in /etc/ssl/certs/ folder and the certificate called nginx-selfsigned.crt.

Step 3: Installing the certificate

After generating the certificate, the next step will be to install it on Nginx server. To do that, open Nginx config file in Ubuntu and add the lines below. Make sure to include it in the server block of the file and save it.

sudo nano /etc/nginx/sites-enabled/default
worker_processes auto;

http {


    server {
        listen 443 default_server;
        listen [::]:443 ssl default_server;

        root /var/www/html;
        server_name _;
        ssl on;
        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers         "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
        ssl_certificate     /etc/ssl/crts/nginx-selfsigned.crt;
        ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;



After making the changes above, run the commands below to test your settings.

sudo nginx -t

If you don’t see any error messages then you’re good. Restart nginx  web server by running the commands below.

sudo systemctl restart nginx

To and browse to the server via hostname or IP using https and you’ll get a certificate warning because it’s a self-signed.


You may also like this post:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.