Installing Self-Signed SSL Certificate for a Domain on Nginx

Self-signed SSL certificates can be used to secure connections between a server and a user. Even if it gives end-user a secured connection to the remote server, most web browsers will warn users before visiting those servers. This is due to the certificate not being signed by a certificate authority. While it has it’s valid reasons, you can use self-signed SSL certificates for your domain if your brand is well reputed by your audience. This page will show you how to install self-signed SSL certificate on a Nginx web server.

I’ve tested this tutorial on DigitalOcean Ubuntu 14.04 VPS where I had it configured with Nginx, PHP5, MySQL and hosting a WordPress site. So i’m writing this assuming you have or will configure your VPS using my tutorials.

We’ll start by creating a temporary directory so leftovers can be easily deleted after we are done,

sudo mkdir temp

Change to that directory,

cd temp

Following command will create a private key with a passphrase. You’ll be asked to create a passphrase. Type something you remember as you’ll need it in a minute. Replace example with you domain; or whatever you like.

sudo openssl genrsa -des3 -out example.key 2048

Next, you’ll need to create a Certificate Signing Request (CSR). Following command should do it,

sudo openssl req -new -key example.key -out example.csr

You’ll be asked few questions, try to give accurate answers. The most important information you have to give is Common Name. It should match your domain name. If I’m adding SSL for http://example.com/, I should be typing example.com as my Common Name.

The passphrase you set earlier will be annoying for you in the future. It’s best to remove it now,

sudo cp example.key example.key.org
sudo openssl rsa -in example.key.org -out example.key

Type in your passphrase for one last time and you don’t need it forever. Now since we have all we need to generate self-signed certificate, we can move on to doing so,

sudo openssl x509 -req -days 365 -in example.csr -signkey example.key -out example.crt

Congratulations! Now you have a self-signed SSL certificate. Let’s copy it to where it should be. You can create a new directory to hold your certificate and private. But I’m using Ubuntu’s standard locations for those files.

sudo cp example.crt /etc/ssl/certs/
sudo cp example.key /etc/ssl/private/

With that being done, you should enable SSL for your domain on Nginx and configure Nginx to use SSL certificate you just created. So open your domain’s virtual host file,

sudo nano  /etc/nginx/sites-available/example.com

Add following line before the line that reads server_name example.com www.example.com;

listen 443;

Add folowing lines after the server_name example.com www.example.com;

ssl    on;
        ssl_session_timeout  5m;
        ssl_protocols  SSLv2 SSLv3 TLSv1;
        ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
        ssl_prefer_server_ciphers   on;

        ssl_certificate        /etc/ssl/certs/example.crt;
        ssl_certificate_key    /etc/ssl/private/example.key;

Final code should look like this,

server {
        listen 443;
        server_name example.com www.example.com;

        ssl    on;
        ssl_session_timeout  5m;
        ssl_protocols  SSLv2 SSLv3 TLSv1;
        ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
        ssl_prefer_server_ciphers   on;

        ssl_certificate        /etc/ssl/certs/example.crt;
        ssl_certificate_key    /etc/ssl/private/example.key;
        [....rest....]

Finally, restart Nginx,

sudo service nginx restart

Open your website in a browser with https protocol. SSL should be active on your domain now. You’ll see a warning about the certificate. If you see that, self-signed SSL is successfully enabled for your domain.

If you can’t see warning and see an error instead, check if port 443 is being blocked by iptables or any other firewall you might have on your server.

Tharindu

Hey!! I'm Tharindu. I'm from Sri Lanka. I'm a part time freelancer and this is my blog where I write about everything I think might be useful to readers. If you read a tutorial here and want to hire me, contact me here.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button

We use cookies to give you the best online experience. By agreeing you accept the use of cookies in accordance with our cookie policy.