|echo "Generating an SSL private key to sign your certificate..."|
|openssl genrsa -des3 -out myssl.key 1024|
|echo "Generating a Certificate Signing Request..."|
|openssl req -new -key myssl.key -out myssl.csr|
|echo "Removing passphrase from key (for nginx)..."|
|cp myssl.key myssl.key.org|
|openssl rsa -in myssl.key.org -out myssl.key|
|echo "Generating certificate..."|
|openssl x509 -req -days 365 -in myssl.csr -signkey myssl.key -out myssl.crt|
|echo "Copying certificate (myssl.crt) to /etc/ssl/certs/"|
|mkdir -p /etc/ssl/certs|
|cp myssl.crt /etc/ssl/certs/|
|echo "Copying key (myssl.key) to /etc/ssl/private/"|
|mkdir -p /etc/ssl/private|
|cp myssl.key /etc/ssl/private/|
Thanks! That's very useful!
EDIT: (updated, taking into consideration discussion below)
The command below seems to work just fine for me and is just a one liner. Any comments?
You can automate the questions in a script:
@tvlooy - works for me, though on centos it seems the private directory is not there by default. presumably some distros may not have either so i put a small tweak of..
mkdir -p /etc/ssl/private && mkdir -p /etc/ssl/certs && openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/ssl/private/site_name.key -out /etc/ssl/certs/site_name.crt
mkdir -p /etc/ssl/private &&
openssl req -x509 -nodes -days 365 -newkey rsa:4096
SiteName Admin Portal
On Ubuntu there is no permissions into /etc/ssl/private, However I make it works in /etc/nginx/ssl.
I love this article. The self-signing process worked perfectly immediately.
@slava-vishnyakov provided a wonderfully useful snippet for the nginx configuration file. BUT...
I don't know if things have changed in the years since he or she wrote it but, it has one tiny imperfection that resulted in an error (ssl_error_rx_record_too_long) in the browser.
Use this instead..
Just add the "ssl" to the listen parameters.
With that, this article becomes one of the most instantly useful I've ever seen.
Thanks to all of you.
As to the Nginx configuration, I got a warning
I just removed the
In other words, it should be something like this:
If someone got the next error:
You have to change the length of your certificate from