dodysw/gist:9704142

## gistfile1.txt
sudo su
cd /etc/nginx
mkdir sslmulti
cd sslmulti

# create a new certificate authority (for importing to our browser so that all child certs are trusted automatically)
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem
# you can import rootCA.pem to your browser now

# create a certificate for our own site(s)
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr

# edit below according to your list of domains
echo "subjectAltName=DNS:yourdomain.com,DNS:*.yourdomain.com,DNS:other.domain.com" > extcert

# change 1024 to number of days the cert will be valid
openssl x509 -req -days 1024 -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -extfile extcert

cd ../sites-enabled
vi your_site_conf_file

# add/update the following:
#
...
server {
  ...
  listen 443 ssl;
  ...
  ssl_certificate /etc/nginx/sslmulti/server.crt;
  ssl_certificate_key /etc/nginx/sslmulti/server.key;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
  ...
}

# save then restart
service nginx restart
	sudo su
	cd /etc/nginx
	mkdir sslmulti
	cd sslmulti

	# create a new certificate authority (for importing to our browser so that all child certs are trusted automatically)
	openssl genrsa -out rootCA.key 2048
	openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem
	# you can import rootCA.pem to your browser now

	# create a certificate for our own site(s)
	openssl genrsa -out server.key 2048
	openssl req -new -key server.key -out server.csr

	# edit below according to your list of domains
	echo "subjectAltName=DNS:yourdomain.com,DNS:*.yourdomain.com,DNS:other.domain.com" > extcert

	# change 1024 to number of days the cert will be valid
	openssl x509 -req -days 1024 -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -extfile extcert

	cd ../sites-enabled
	vi your_site_conf_file

	# add/update the following:
	#
	...
	server {
	...
	listen 443 ssl;
	...
	ssl_certificate /etc/nginx/sslmulti/server.crt;
	ssl_certificate_key /etc/nginx/sslmulti/server.key;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
	...
	}

	# save then restart
	service nginx restart