Instantly share code, notes, and snippets.

What would you like to do?
Setup a self-signed SSL certificate with Nginx (server and browser)

1. Configure server: Nginx

Create the certificate:

$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

Create a strong Diffie-Hellman group:

$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Create a new configuration snippet file for Nginx:

$ sudo nano /etc/nginx/snippets/self-signed.conf


ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

Create a configuration snippet with strong encryption settings:

$ sudo vim /etc/nginx/snippets/ssl-params.conf


# from
# and

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
#ssl_stapling on;
#ssl_stapling_verify on;
resolver valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;

Configure Nginx site to use certificate:

server {

    listen 443 ssl;
    include snippets/self-signed.conf;
    include snippets/ssl-params.conf;


2. Configure computer: macOS

From local computer, download the certificate:

$ scp user@host:/etc/ssl/certs/nginx-selfsigned.crt ~/cert.crt

Open the file with the Keychain Access utility:

$ open cert.crt
  1. Add the certificate to the System keychain (not login), authenticate.
  2. After it has been added, double-click it, authenticate again.
  3. Expand the "Trust" section.
  4. Set "When using this certificate" to "Always Trust"

That's it! Close Keychain Access and restart Chrome, and your self-signed certificate should be recognized now by the browser.

Sources :


This comment has been minimized.

Copy link

astuter commented Dec 20, 2017

Nice consolidated details.


This comment has been minimized.

Copy link

codecakes commented Dec 23, 2017

Need something that works for mobile browsing too


This comment has been minimized.

Copy link

nicolasembleton commented Mar 7, 2018

@codecakes Adding trusted certificate on mobile will fix it. But I'd personally recommend avoiding this and using letsencrypt with dev-only domain name.


This comment has been minimized.

Copy link

IAlwaysBeCoding commented May 23, 2018

Why use nano and vim and not just use one?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment