Self-signed SSL certificates can be used to secure connections between a server and a user. Even if it gives end-user a secured connection to the remote server, most web browsers will warn users before visiting those servers. This is due to the certificate not being signed by a certificate authority. While it has it’s valid reasons, you can use self-signed SSL certificates for your domain if your brand is well reputed by your audience. This page will show you how to install self-signed SSL certificate on a Nginx web server.
I’ve tested this tutorial on DigitalOcean Ubuntu 14.04 VPS where I had it configured with Nginx, PHP5, MySQL and hosting a WordPress site. So i’m writing this assuming you have or will configure your VPS using my tutorials.
We’ll start by creating a temporary directory so leftovers can be easily deleted after we are done,
sudo mkdir temp
Change to that directory,
cd temp
Following command will create a private key with a passphrase. You’ll be asked to create a passphrase. Type something you remember as you’ll need it in a minute. Replace example with you domain; or whatever you like.
sudo openssl genrsa -des3 -out example.key 2048
Next, you’ll need to create a Certificate Signing Request (CSR). Following command should do it,
sudo openssl req -new -key example.key -out example.csr
You’ll be asked few questions, try to give accurate answers. The most important information you have to give is Common Name. It should match your domain name. If I’m adding SSL for http://example.com/, I should be typing example.com as my Common Name.
The passphrase you set earlier will be annoying for you in the future. It’s best to remove it now,
sudo cp example.key example.key.org sudo openssl rsa -in example.key.org -out example.key
Type in your passphrase for one last time and you don’t need it forever. Now since we have all we need to generate self-signed certificate, we can move on to doing so,
sudo openssl x509 -req -days 365 -in example.csr -signkey example.key -out example.crt
Congratulations! Now you have a self-signed SSL certificate. Let’s copy it to where it should be. You can create a new directory to hold your certificate and private. But I’m using Ubuntu’s standard locations for those files.
sudo cp example.crt /etc/ssl/certs/ sudo cp example.key /etc/ssl/private/
With that being done, you should enable SSL for your domain on Nginx and configure Nginx to use SSL certificate you just created. So open your domain’s virtual host file,
sudo nano /etc/nginx/sites-available/example.com
Add following line before the line that reads server_name example.com www.example.com;
listen 443;
Add folowing lines after the server_name example.com www.example.com;
ssl on;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
ssl_certificate /etc/ssl/certs/example.crt;
ssl_certificate_key /etc/ssl/private/example.key;Final code should look like this,
server {
listen 443;
server_name example.com www.example.com;
ssl on;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
ssl_certificate /etc/ssl/certs/example.crt;
ssl_certificate_key /etc/ssl/private/example.key;
[....rest....]
Finally, restart Nginx,
sudo service nginx restart
Open your website in a browser with https protocol. SSL should be active on your domain now. You’ll see a warning about the certificate. If you see that, self-signed SSL is successfully enabled for your domain.
If you can’t see warning and see an error instead, check if port 443 is being blocked by iptables or any other firewall you might have on your server.
