DevOps

Adding a trusted SSL cert on Nginx

Adding a trusted SSL certificate for the local environment in Nginx on Debian/Ubuntu (using root CA)

1 Creating an OpenSSL configuration

nano /tmp/openssl.cnf
[req]
default_bits = 2048
distinguished_name = req_distinguished_name
prompt = no

[req_distinguished_name]
C = US
ST = New York
L = Rochester
O = Localhost CA
OU = Development
CN = localhost

[v3_ca]
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
# Support subdomains
#DNS.2 = *.domain.local

2 Creating a root certification authority (CA)

We will use the root certificate authority (CA) to create all the SSL certificates. But first, we need to create a root certificate. Let's create a private key rootCA.key by running the command in the terminal:

sudo openssl genrsa -out /etc/ssl/private/rootCA.key 2048

or using a passphrase

sudo openssl genrsa -des3 -out /etc/ssl/private/rootCA.key 2048


Now let's create the rootCA.pem certificate file using the private key rootCA.key by running the command in the terminal:

sudo openssl req -x509 -new -nodes -key /etc/ssl/private/rootCA.key -sha256 -da

 

3 Creating SSL certificates

It is already possible to create new certificates using the root certificate rootCA.pem. But first, we need to create a private key and a key (CSR) to request a signature by running the command in the terminal:

sudo openssl req -new -sha256 -nodes -newkey rsa:2048 -keyout /etc/ssl/private/localhost.key -out /etc/ssl/private/localhost.csr -config /tmp/openssl.cnf


Now we will create our certificate file using the root certification authority that we created earlier by running the command in the terminal:

sudo openssl x509 -req -in /etc/ssl/private/localhost.csr -CA /etc/ssl/certs/rootCA.pem -CAkey /etc/ssl/private/rootCA.key -CAcreateserial -out /etc/ssl/certs/localhost.crt -sha256 -days 3650 -extfile /tmp/openssl.cnf -extensions v3_ca

 

4 Configuring Nginx to use SSL

Let's enable SSL in the Nginx server configuration. We will specify listening on port 443 (HTTPS) and the path to the certificate and private key files. Edit the server configuration file /etc/nginx/sites-available/default:

sudo nano /etc/nginx/sites-available/default
server {
 listen 80 default_server;
 listen [::]:80 default_server;

 listen 443 ssl default_server;
 listen [::]:443 ssl default_server;

 ssl_certificate /etc/ssl/certs/localhost.crt;
 ssl_certificate_key /etc/ssl/private/localhost.key;

 root /var/www/html;
 index index.html index.htm index.nginx-debian.html;

 server_name _;

 location / {
  try_files $uri $uri/ =404;
 }
}


Save the changes and close the file. Check the configuration for validity by running the command in the terminal:

sudo nginx -t


Now apply the configuration changes by running the command in the terminal:

sudo service nginx reload

5 Adding a certification authority to the browser

  • Google Chrome
    Settings -> Advanced -> Privacy and security -> Manage certificates -> Authorities -> Import (select rootCA.pem file and set all trust settings)
  • Mozilla Firefox
    Preferences -> Privacy & Security -> Certificates -> View Certificates -> Authorities -> Import (select rootCA.pem file and set all trust settings)

6 Encryption testing

Let's check that our Nginx server is accessible via the HTTPS protocol by entering the following address in the browser:

https://localhost

If you did everything correctly, you will see that the browser has begun to trust your SSL certificate. Your connection will now be encrypted using the HTTPS protocol without displaying a warning about an insecure connection

 

 

Sources:

 

Афоризм дня:
Мы восприимчивы к дружбе, справедливости, человечности, состраданию и разуму. Не это ли есть добродетель, друзья мои? (526)

Leave a reply