SSL (stands for Secure Sockets Layer) and its successor, TLS (stands for Transport Layer Security) are cryptographic protocols to secure communication over the Internet. It can be used to create a secure connection to a website.
Make sure that Nginx and OpenSSL are installed on your server. In this article, we’ll demonstrate the process by generating a self-signed SSL certificate.
We’ll create a directory (and enter it) inside /etc/nginx (assuming that directory is Nginx’s config directory), by:
sudo mkdir /etc/nginx/ssl
cd /etc/nginx/ssl # we'll perform our next few steps in this dir
Let’s start by creating the site’s private key. In this example, we’ll use 4096-bit key for stronger security. Note that 2048-bit is also secure, but DO NOT USE A 1024-BIT PRIVATE KEY!
sudo openssl genrsa -out example.com.key 4096
Now, create a certificate signing request (CSR) for signing the cert. We’ll use 512-bit SHA-2. Note the -sha512
option.
sudo openssl req -new -key example.com.key -out example.com.csr -sha512
It will prompt a lists of fields that need to be filled in. Make sure Common Name
is set to your domain name! Also, leave A challenge password
and An optional company name
blank.
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:LosAngeles
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Inc
Organizational Unit Name (eg, section) []:Security
Common Name (e.g. server FQDN or YOUR name) []:*.example.com
Email Address []:webmaster@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Almost done! Now we just have to sign it. Don’t forget to replace 365 (expiry after 365 days) to the number of days that you would prefer.
sudo openssl x509 -req -days 365 -in example.com.csr -signkey example.com.key -out example.com.crt -sha512
Now, we’re done making a self-signed certificate.
Open Nginx’s example SSL config file:
sudo nano /etc/nginx/conf.d/example_ssl.conf
Uncomment within the section under the line HTTPS Server. Match your config to the information below, replacing the example.com
in the server_name
line with your domain name or IP address. Also set your root directory.
# HTTPS server
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4; # no RC4 and known insecure cipher
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
Then restart Nginx.
service nginx restart
Now, visit your website with an https
address ( https://your.address.tld
). Your web browser will show a secure connection using your self-signed certificate.