Create a gist now

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Create self-signed SSL certificate for Nginx
#!/bin/bash
echo "Generating an SSL private key to sign your certificate..."
openssl genrsa -des3 -out myssl.key 1024
echo "Generating a Certificate Signing Request..."
openssl req -new -key myssl.key -out myssl.csr
echo "Removing passphrase from key (for nginx)..."
cp myssl.key myssl.key.org
openssl rsa -in myssl.key.org -out myssl.key
rm myssl.key.org
echo "Generating certificate..."
openssl x509 -req -days 365 -in myssl.csr -signkey myssl.key -out myssl.crt
echo "Copying certificate (myssl.crt) to /etc/ssl/certs/"
mkdir -p /etc/ssl/certs
cp myssl.crt /etc/ssl/certs/
echo "Copying key (myssl.key) to /etc/ssl/private/"
mkdir -p /etc/ssl/private
cp myssl.key /etc/ssl/private/
@slava-vishnyakov

This comment has been minimized.

Show comment
Hide comment
@slava-vishnyakov

slava-vishnyakov Apr 17, 2013

Thanks! That's very useful!
Just for future reference: here's how to attach it to nginx

server {
    listen               443 ssl;
    ssl                  on;
    ssl_certificate      /etc/ssl/certs/myssl.crt;
    ssl_certificate_key  /etc/ssl/private/myssl.key;
    server_name SERVER_NAME.com;
    location / {
    }
}

EDIT: (updated, taking into consideration discussion below)

slava-vishnyakov commented Apr 17, 2013

Thanks! That's very useful!
Just for future reference: here's how to attach it to nginx

server {
    listen               443 ssl;
    ssl                  on;
    ssl_certificate      /etc/ssl/certs/myssl.crt;
    ssl_certificate_key  /etc/ssl/private/myssl.key;
    server_name SERVER_NAME.com;
    location / {
    }
}

EDIT: (updated, taking into consideration discussion below)

@schmurfy

This comment has been minimized.

Show comment
Hide comment
@schmurfy

schmurfy Dec 12, 2013

thanks you both for this, generating/using certificates is really a pain :/

thanks you both for this, generating/using certificates is really a pain :/

@tvlooy

This comment has been minimized.

Show comment
Hide comment
@tvlooy

tvlooy Feb 28, 2014

The command below seems to work just fine for me and is just a one liner. Any comments?

openssl req -x509 -nodes -days 365 -newkey rsa:1024 \
    -keyout /etc/ssl/private/myssl.key \
    -out /etc/ssl/certs/myssl.crt

You can automate the questions in a script:

openssl req -x509 -nodes -days 365 -newkey rsa:1024 \
    -keyout /etc/ssl/private/myssl.key \
    -out /etc/ssl/certs/myssl.crt <<EOF
BE
Brussels

My project
Development
the.domain.tld

EOF

tvlooy commented Feb 28, 2014

The command below seems to work just fine for me and is just a one liner. Any comments?

openssl req -x509 -nodes -days 365 -newkey rsa:1024 \
    -keyout /etc/ssl/private/myssl.key \
    -out /etc/ssl/certs/myssl.crt

You can automate the questions in a script:

openssl req -x509 -nodes -days 365 -newkey rsa:1024 \
    -keyout /etc/ssl/private/myssl.key \
    -out /etc/ssl/certs/myssl.crt <<EOF
BE
Brussels

My project
Development
the.domain.tld

EOF
@stealthpaladin

This comment has been minimized.

Show comment
Hide comment
@stealthpaladin

stealthpaladin Apr 13, 2014

@tvlooy - works for me, though on centos it seems the private directory is not there by default. presumably some distros may not have either so i put a small tweak of..

mkdir -p /etc/ssl/private && mkdir -p /etc/ssl/certs && openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/ssl/private/site_name.key -out /etc/ssl/certs/site_name.crt

OR

mkdir -p /etc/ssl/private &&
mkdir -p /etc/ssl/certs &&

openssl req -x509 -nodes -days 365 -newkey rsa:4096
-keyout /etc/ssl/private/site_name.key
-out /etc/ssl/certs/site_name.crt <<EOF
US
TX
Private

SiteName Admin Portal
Development
portal.sitename.com

EOF

@tvlooy - works for me, though on centos it seems the private directory is not there by default. presumably some distros may not have either so i put a small tweak of..

mkdir -p /etc/ssl/private && mkdir -p /etc/ssl/certs && openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/ssl/private/site_name.key -out /etc/ssl/certs/site_name.crt

OR

mkdir -p /etc/ssl/private &&
mkdir -p /etc/ssl/certs &&

openssl req -x509 -nodes -days 365 -newkey rsa:4096
-keyout /etc/ssl/private/site_name.key
-out /etc/ssl/certs/site_name.crt <<EOF
US
TX
Private

SiteName Admin Portal
Development
portal.sitename.com

EOF

@adrianorsouza

This comment has been minimized.

Show comment
Hide comment
@adrianorsouza

adrianorsouza May 13, 2014

On Ubuntu there is no permissions into /etc/ssl/private, However I make it works in /etc/nginx/ssl.
Also based on your script a made my own witch output the nginx configuration at the end. https://gist.github.com/adrianorsouza/2bbfe5e197ce1c0b97c8

On Ubuntu there is no permissions into /etc/ssl/private, However I make it works in /etc/nginx/ssl.
Also based on your script a made my own witch output the nginx configuration at the end. https://gist.github.com/adrianorsouza/2bbfe5e197ce1c0b97c8

@abkrim

This comment has been minimized.

Show comment
Hide comment
@abkrim

abkrim Aug 15, 2017

One step (if use Ubunut 16.04 /etc/ssl exists. If not use you feel free to add create dir)
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

abkrim commented Aug 15, 2017

One step (if use Ubunut 16.04 /etc/ssl exists. If not use you feel free to add create dir)
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

@natanraj

This comment has been minimized.

Show comment
Hide comment
@natanraj

natanraj Nov 1, 2017

hi.. It is a very good gist... I am using nginx on AWS and followed these instructions. But unable to access https://<>. Any suggestions pls.

Note: i have enabled my AWS security group to listen to 443 as well.

natanraj commented Nov 1, 2017

hi.. It is a very good gist... I am using nginx on AWS and followed these instructions. But unable to access https://<>. Any suggestions pls.

Note: i have enabled my AWS security group to listen to 443 as well.

@tqwhite

This comment has been minimized.

Show comment
Hide comment
@tqwhite

tqwhite Apr 3, 2018

I love this article. The self-signing process worked perfectly immediately.

@slava-vishnyakov provided a wonderfully useful snippet for the nginx configuration file. BUT...

I don't know if things have changed in the years since he or she wrote it but, it has one tiny imperfection that resulted in an error (ssl_error_rx_record_too_long) in the browser.

Use this instead..

server {
listen 443 ssl;
ssl on;
ssl_certificate /etc/ssl/certs/myssl.crt;
ssl_certificate_key /etc/ssl/private/myssl.key;
server_name SERVER_NAME.com;
location / {
}
}

Just add the "ssl" to the listen parameters.

With that, this article becomes one of the most instantly useful I've ever seen.

Thanks to all of you.

tqwhite commented Apr 3, 2018

I love this article. The self-signing process worked perfectly immediately.

@slava-vishnyakov provided a wonderfully useful snippet for the nginx configuration file. BUT...

I don't know if things have changed in the years since he or she wrote it but, it has one tiny imperfection that resulted in an error (ssl_error_rx_record_too_long) in the browser.

Use this instead..

server {
listen 443 ssl;
ssl on;
ssl_certificate /etc/ssl/certs/myssl.crt;
ssl_certificate_key /etc/ssl/private/myssl.key;
server_name SERVER_NAME.com;
location / {
}
}

Just add the "ssl" to the listen parameters.

With that, this article becomes one of the most instantly useful I've ever seen.

Thanks to all of you.

@davidfirst

This comment has been minimized.

Show comment
Hide comment
@davidfirst

davidfirst Jul 11, 2018

As to the Nginx configuration, I got a warning
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /usr/local/etc/nginx/sites-enabled/local.mysite.com:8

I just removed the ssl on; part and the warning is gone.

In other words, it should be something like this:

server {
    listen               443 ssl;
    ssl_certificate      /etc/ssl/certs/myssl.crt;
    ssl_certificate_key  /etc/ssl/private/myssl.key;
    server_name SERVER_NAME.com;
    location / {
    }
}

As to the Nginx configuration, I got a warning
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /usr/local/etc/nginx/sites-enabled/local.mysite.com:8

I just removed the ssl on; part and the warning is gone.

In other words, it should be something like this:

server {
    listen               443 ssl;
    ssl_certificate      /etc/ssl/certs/myssl.crt;
    ssl_certificate_key  /etc/ssl/private/myssl.key;
    server_name SERVER_NAME.com;
    location / {
    }
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment