Skip to content

Instantly share code, notes, and snippets.

Forked from twoism-dev/gist:1183437
Created April 10, 2012 14:44
Star You must be signed in to star a gist
What would you like to do?
Create self-signed SSL certificate for Nginx
echo "Generating an SSL private key to sign your certificate..."
openssl genrsa -des3 -out myssl.key 1024
echo "Generating a Certificate Signing Request..."
openssl req -new -key myssl.key -out myssl.csr
echo "Removing passphrase from key (for nginx)..."
cp myssl.key
openssl rsa -in -out myssl.key
echo "Generating certificate..."
openssl x509 -req -days 365 -in myssl.csr -signkey myssl.key -out myssl.crt
echo "Copying certificate (myssl.crt) to /etc/ssl/certs/"
mkdir -p /etc/ssl/certs
cp myssl.crt /etc/ssl/certs/
echo "Copying key (myssl.key) to /etc/ssl/private/"
mkdir -p /etc/ssl/private
cp myssl.key /etc/ssl/private/
Copy link

On Ubuntu there is no permissions into /etc/ssl/private, However I make it works in /etc/nginx/ssl.
Also based on your script a made my own witch output the nginx configuration at the end.

Copy link

abkrim commented Aug 15, 2017

One step (if use Ubunut 16.04 /etc/ssl exists. If not use you feel free to add create dir)
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

Copy link

natanraj commented Nov 1, 2017

hi.. It is a very good gist... I am using nginx on AWS and followed these instructions. But unable to access https://<>. Any suggestions pls.

Note: i have enabled my AWS security group to listen to 443 as well.

Copy link

tqwhite commented Apr 3, 2018

I love this article. The self-signing process worked perfectly immediately.

@slava-vishnyakov provided a wonderfully useful snippet for the nginx configuration file. BUT...

I don't know if things have changed in the years since he or she wrote it but, it has one tiny imperfection that resulted in an error (ssl_error_rx_record_too_long) in the browser.

Use this instead..

server {
listen 443 ssl;
ssl on;
ssl_certificate /etc/ssl/certs/myssl.crt;
ssl_certificate_key /etc/ssl/private/myssl.key;
location / {

Just add the "ssl" to the listen parameters.

With that, this article becomes one of the most instantly useful I've ever seen.

Thanks to all of you.

Copy link

As to the Nginx configuration, I got a warning
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /usr/local/etc/nginx/sites-enabled/

I just removed the ssl on; part and the warning is gone.

In other words, it should be something like this:

server {
    listen               443 ssl;
    ssl_certificate      /etc/ssl/certs/myssl.crt;
    ssl_certificate_key  /etc/ssl/private/myssl.key;
    location / {

Copy link

cesarjv commented Jun 21, 2020

Good morning, is it necessary to have a domain to apply this method of generating ssl self-signed certificate?

Because in my company it is handled is url type

Copy link

popovserhii commented Aug 26, 2020

If someone got the next error:

# nginx -t

nginx: [emerg] SSL_CTX_use_certificate("/etc/ssl/certs/myssl.crt") failed (SSL: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small)
nginx: configuration file /etc/nginx/nginx.conf test failed

You have to change the length of your certificate from rsa:1024 to rsa:2048

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment