This post concerns on generating self-signed TLS/SSL certificate for Nginx in Ubuntu LTS and assumes that you’ve configured nginx server with a default site.
Step 1: Generate OpenSSL certificate
sudo mkdir /etc/nginx/ssl sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:CA Locality Name (eg, city) []:Palo Alto Organization Name (eg, company) [Internet Widgits Pty Ltd]:Mypapit LLC Organizational Unit Name (eg, section) []:Billing Common Name (e.g. server FQDN or YOUR name) []:Mypapit Email Address []:mypapit+cert@gmail.com
Step 2: Edit nginx site config
You can edit nginx site config here, replace ‘default’ with your own server config.
sudo nano -c /etc/nginx/sites-enable/default
You will see this server block.
server { listen 80; listen [::]:80; server_name your_domain.com; root /var/www/your_domain.com; index index.html index.htm; ... ... }
Add additional line (in italic)
server { listen 80; listen [::]:80; listen 443 ssl; server_name your_domain.com; root /var/www/your_domain.com; index index.html index.htm; ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security max-age=31536000; ... ... }
Save file, and restart nginx server
sudo nginx -t sudo service nginx restart
Test configuration by going to https://your_domain.com.
Done!
Bonus: Add HSTS header and Serve only TLS
HSTS header