ScaleScaleScaleScale

Tips / Nginx


How to Set Up a Self Signed SSL Certificate on Nginx

Self Signed Certificates are SSL certificates that are signed by your server using its own private key. That means that they are not authorized by normal third party certificate authorities.

If you need to run an SSL protected environment while you are developing your software, then this kind of SSL is specially recommended because it can be setup in five minutes and is totally free.

Today, you will learn how to install a Self Signed Certificate and configure Nginx to serve the SSL connection, assuming that you already have Nginx running and serving your webpages.

This tutorial is based on CentOS Linux, but with a little tweak it can work perfectly on any other Linux distro, like Ubuntu or Debian. The procedure is the same; only a few system paths may change.

Create the SSL required directories

In this example, you store the .key, crt and csr files.

mkdir /etc/nginx/ssl.{key,crt,csr}

Generate the server key

openssl genrsa -des3 -out /etc/nginx/ssl.key/www.yoursite.com.key 2048

Generate the CSR file

openssl req -new -key /etc/nginx/ssl.key/www.yoursite.com.key -out /etc/nginx/ssl.csr/www.yoursite.com.csr

After running those commands, you will be prompted to enter information about the website you’re going to protect with the SSL. These are all personal details, like name, email, city, country, etc.

What you should enter into each field

  • Common Name / Server’s Hostname: Your domain name; for example: www.yoursite.com or whatever.yoursite.com
  • Organization: The legal name of your business; for example: Your Company Inc (if you don’t own a company, just put your name)
  • Organization Unit: Just type “Security” or “SSL”
  • City or Locality: Name of the city where your company is located
  • State or Province: Name of the state or province where your company is located
  • Country: Two-letter International name for your country; for example: US (United States), UK (United Kingdom), BR (Brazil), ES (Spain), etc.
  • Email Address: Enter a valid email address
  • A challenge password: Leave this blank and hit enter

Sample output:

Country Name (2 letter code) [XX]: US
State or Province Name (full name) []: California
Locality Name (eg, city) [Default City]: Los Angeles
Organization Name (eg, company) [Default Company Ltd]: NginxTips LLC
Organizational Unit Name (eg, section) []: Security
Common Name (eg, your name or your server's hostname) []: www.nginxtips.com
Email Address []:webmaster@nginxtips.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []: NginxTips.com

Sign the generated key wih 1 year expiration

openssl x509 -req -days 365 -in /etc/nginx/ssl.csr/www.yoursite.com.csr -signkey /etc/nginx/ssl.key/www.yoursite.com.key -out /etc/nginx/ssl.crt/www.yoursite.com.crt

Configure Nginx to load the information

nano -w /etc/nginx/conf.d/yoursite.com.conf

Enable SSL by loading variables from your virtual host

listen XX.XX.XX.XX:443 ssl spdy;
ssl_certificate /etc/nginx/ssl.crt/www.yoursite.com.crt;
ssl_certificate_key /etc/nginx/ssl.key/www.yoursite.com.key;

Remember to replace XX.XX.XX.XX with your actual IP address.

SSL enabled virtual host example

### yoursite.com

server {
listen 80;
server_name www.yoursite.com yoursite.com;
rewrite ^(.*) https://www.yoursite.com$1 permanent;
}

server {
access_log off;
log_not_found off;
error_log logs/yoursite.com-error_log warn;

listen XX.XX.XX.XX:443 ssl spdy;
server_name www.yoursite.com;
root /var/www/yoursite.com;
index index.php index.html index.htm;

ssl_certificate /etc/nginx/ssl.crt/www.yoursite.com.crt;
ssl_certificate_key /etc/nginx/ssl.key/www.yoursite.com.key;

location ~* .(gif|jpg|jpeg|png|ico|wmv|3gp|avi|mpg|mpeg|mp4|flv|mp3|mid|js|css|wml|swf)$ {
expires max;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
# PHP-FPM configuration
location ~ .php$ {
root /var/www/yoursite.com;
try_files $uri =404;
fastcgi_pass unix:/tmp/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_buffer_size 128k;
fastcgi_read_timeout 150;
fastcgi_buffers 256 4k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
}
}

Reload Nginx to apply changes

service nginx reload

Remember to open port 443 on your Firewall rules. Otherwise, you won’t be able to establish the SSL connection. At this point, you should have your own self signed SSL fully working on Nginx.

profile

Esteban Borges

Linux Geek, Webperf Addict, Nginx Fan. CTO @Infranetworking