SSL (stands for\u00a0Secure Sockets Layer<\/em>) and its successor, TLS (stands for\u00a0Transport Layer Security<\/em>) are cryptographic protocols to secure communication over the Internet. It can be used to create a secure connection to a website.<\/p>\n Make sure that Nginx and OpenSSL are installed on your server. In this article, we’ll demonstrate the process by generating a self-signed SSL certificate.<\/p>\n We’ll create a directory (and enter it) inside \/etc\/nginx (assuming that directory is Nginx’s config directory), by:<\/p>\n Let’s start by creating the site’s private key. In this example, we’ll use 4096-bit key for stronger security. Note that 2048-bit is also secure, but\u00a0DO NOT USE A 1024-BIT PRIVATE KEY!<\/strong><\/p>\n Now, create a certificate signing request (CSR) for signing the cert. We’ll use 512-bit SHA-2. Note the\u00a0 It will prompt a lists of fields that need to be filled in. Make sure\u00a0 Almost done! Now we just have to sign it. Don’t forget to replace 365 (expiry after 365 days) to the number of days that you would prefer.<\/p>\n Now, we’re done making a self-signed certificate.<\/p>\n Open Nginx’s example SSL config file:<\/p>\n Uncomment within the section under the line\u00a0HTTPS Server<\/em>. Match your config to the information below, replacing the\u00a0 Then restart Nginx.<\/p>\n Now, visit your website with an\u00a0Intro<\/h3>\n
Step 1: Create a directory for the certificate and private key<\/h4>\n
sudo mkdir \/etc\/nginx\/ssl\r\ncd \/etc\/nginx\/ssl # we'll perform our next few steps in this dir\r\n<\/code><\/pre>\n
Step 2: Create private key and CSR<\/h4>\n
sudo openssl genrsa -out example.com.key 4096\r\n<\/code><\/pre>\n
-sha512<\/code>\u00a0option.<\/p>\n
sudo openssl req -new -key example.com.key -out example.com.csr -sha512\r\n<\/code><\/pre>\n
Common Name<\/code>\u00a0is set to your domain name! Also, leave\u00a0
A challenge password<\/code>\u00a0and\u00a0
An optional company name<\/code>\u00a0blank.<\/p>\n
You are about to be asked to enter information that will be incorporated\r\ninto your certificate request.\r\nWhat you are about to enter is what is called a Distinguished Name or a DN.\r\nThere are quite a few fields but you can leave some blank\r\nFor some fields there will be a default value,\r\nIf you enter '.', the field will be left blank.\r\n-----\r\nCountry Name (2 letter code) [AU]:US\r\nState or Province Name (full name) [Some-State]:CA\r\nLocality Name (eg, city) []:LosAngeles\r\nOrganization Name (eg, company) [Internet Widgits Pty Ltd]:Example Inc\r\nOrganizational Unit Name (eg, section) []:Security\r\nCommon Name (e.g. server FQDN or YOUR name) []:*.example.com\r\nEmail Address []:webmaster@example.com\r\n\r\nPlease enter the following 'extra' attributes\r\nto be sent with your certificate request\r\nA challenge password []:\r\nAn optional company name []:\r\n<\/code><\/pre>\n
Step 3: Sign your certificate<\/h4>\n
sudo openssl x509 -req -days 365 -in example.com.csr -signkey example.com.key -out example.com.crt -sha512\r\n<\/code><\/pre>\n
Step 4: Set up<\/h4>\n
sudo nano \/etc\/nginx\/conf.d\/example_ssl.conf\r\n<\/code><\/pre>\n
example.com<\/code>\u00a0in the\u00a0
server_name<\/code>\u00a0line with your domain name or IP address. Also set your root directory.<\/p>\n
# HTTPS server\r\n\r\nserver {\r\n listen 443 ssl;\r\n server_name example.com;\r\n\r\n ssl_certificate \/etc\/nginx\/ssl\/example.com.crt;\r\n ssl_certificate_key \/etc\/nginx\/ssl\/example.com.key;\r\n ssl_protocols TLSv1 TLSv1.1 TLSv1.2;\r\n ssl_prefer_server_ciphers on;\r\n ssl_ecdh_curve secp384r1;\r\n ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4; # no RC4 and known insecure cipher\r\nlocation \/ {\r\n root \/usr\/share\/nginx\/html;\r\n index index.html index.htm;\r\n }\r\n}\r\n<\/code><\/pre>\n
service nginx restart\r\n<\/code><\/pre>\n
https<\/code>\u00a0address (\u00a0
https:\/\/your.address.tld<\/code> ). Your web browser will show a secure connection using your self-signed certificate.<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","format":"standard","manualknowledgebasecat":[109,242],"manual_kb_tag":[371],"_links":{"self":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/2621"}],"collection":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb"}],"about":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/types\/manual_kb"}],"author":[{"embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/comments?post=2621"}],"version-history":[{"count":1,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/2621\/revisions"}],"predecessor-version":[{"id":2622,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/2621\/revisions\/2622"}],"wp:attachment":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/media?parent=2621"}],"wp:term":[{"taxonomy":"manualknowledgebasecat","embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manualknowledgebasecat?post=2621"},{"taxonomy":"manual_kb_tag","embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb_tag?post=2621"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}