How to Create Self signed SSL certificate in ubuntu with Nginx

A self-signed certificate will encrypt communication between your server and any clients. As it is not signed by any of the trusted certificate authorities included with web browsers. Users can use the certificate till the validity of the certificate only .

If we want to buy a certificate than it costs us something per year  which differ from company to company from whom we are buying. The advantage of buying is that our users don’t see a page saying this website is not trusted, which might result into loosing our customer.

The advantage of using self signed certificate is that we don’t incur any cost but the disadvantage is that our users see a page to accept the certificate saying that this is not a trusted website, which would result in loosing our customer.

So choosing, which one to use depends on our need. In this post we are gonna see how to create and use a self signed certificate.

SSH into your machine
First  update the cache and then  install nginx

sudo apt-get update
sudo apt-get install nginx

Create SSL certificate
Then we have to create a ssl directory in /etc/nginx/

sudo mkdir /etc/nginx/ssl

Now we will create our own ssl certiifcate

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt

The above command will results; you will be asked a series of  questions which are as follows.

Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Madhya Pradesh
Locality Name (eg, city) []:Indore
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ABC corp Pvt Ltd
Organizational Unit Name (eg, section) []:xyz
Common Name (e.g. server FQDN or YOUR name) []:your_domain.com
Email Address []:admin@your_domain.com

Now we will be having two file ; the first is “nginx.key” and the second is “nginx.crt” in /etc/nginx/ssl/ directory.
You can check whether the file exists or not  by the following command.

ls /etc/nginx/ssl/

The option that can be specified in the command to create a SSL certificate are as follows :

• openssl: This is the basic command for creating and managing OpenSSL certificates
• req: This sub-command specifies that we want to use X.509 certificate signing request (CSR) management. The “X.509” is a public key infrastructure standard that SSL and TLS adheres to for its key and certificate management. We want to create a new X.509 cert, so we are using this sub-command.
• -x509: This modifies the previous sub-command by telling the utility that we want to make a self-signed certificate instead of generating a certificate signing request, as would normally happen.
• -nodes: This tells OpenSSL to skip the option to secure our certificate with a passphrase. We need Nginx to be able to read the file, without user intervention, when the server starts up. A passphrase would prevent this from happening because we would have to enter it after every restart.
• -days 365: This option sets the length of time that the certificate will be considered valid. We set it for one year here.
• -newkey rsa:2048: This specifies that we want to generate a new certificate and a new key at the same time. We did not create the key that is required to sign the certificate in a previous step, so we need to create it along with the certificate. The rsa:2048 portion tells it to make an RSA key that is 2048 bits long.
• -keyout: This line tells OpenSSL where to place the generated private key file that we are creating.
• -out: This tells OpenSSL where to place the certificate that we are creating.

Configuring Nginx
Nginx by default listen to port 80 and have the following default configuration.

server {
        listen 80 default_server;
        listen [::]:80 default_server ipv6only=on;

        root /usr/share/nginx/html;
        index index.html index.htm;

        server_name your_domain.com;

        location / {
                try_files $uri $uri/ =404;
        }
}