Here, we will show you how to set up a self-signed SSL certificate for use with an Nginx web server on an Ubuntu 14.04 server. A self-signed certificate will not validate the identity of your server for your users since it is not signed by one of their web browser's trusted certificate authorities, but it will allow you to encrypt communications with your web clients.
Setup A Nginx Web server
sudo apt-get update
sudo apt-get install nginx
sudo apt-get install nginx
Create New Sites and make its Default Sites
root@ubuntu:/etc/nginx/sites-available# cp default ictops
root@ubuntu:/etc/nginx/sites-enable# vi ictops
server {
listen 80; ## listen for ipv4; this line is default and implied
server_name localhost;
add_header X-Frame-Options "SAMEORIGIN";
location / {
root /var/www;
index index.html index.htm;
}
}
root@ubuntu:/etc/nginx/sites-available# cd /etc/nginx/sites-enabled
root@ubuntu:/etc/nginx/sites-enabled# ln -s /etc/nginx/sites-available/ictops ictops
root@ubuntu:/etc/nginx/sites-enabled# service nginx restart
Install-Configure Open SSL On the Server
Create the SSL Certificate
We can start off by creating a directory that will be used to hold all of our SSL information. We should create this under the Nginx configuration directory:
sudo mkdir /etc/nginx/ssl
Now that we have a location to place our files, we can create the SSL key and certificate files in one motion by typing:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt
- openssl: This is the basic command line tool for creating and managing OpenSSL certificates, keys, and other files.
- req: This subcommand specifies that we want to use X.509 certificate signing request (CSR) management. The "X.509" is a public key infrastructure standard that SSL and TLS adheres to for its key and certificate management. We want to create a new X.509 cert, so we are using this subcommand.
- -x509: This further modifies the previous subcommand by telling the utility that we want to make a self-signed certificate instead of generating a certificate signing request, as would normally happen.
- -nodes: This tells OpenSSL to skip the option to secure our certificate with a passphrase. We need Nginx to be able to read the file, without user intervention, when the server starts up. A passphrase would prevent this from happening because we would have to enter it after every restart.
- -days 365: This option sets the length of time that the certificate will be considered valid. We set it for one year here.
- -newkey rsa:2048: This specifies that we want to generate a new certificate and a new key at the same time. We did not create the key that is required to sign the certificate in a previous step, so we need to create it along with the certificate. The rsa:2048 portion tells it to make an RSA key that is 2048 bits long.
- -keyout: This line tells OpenSSL where to place the generated private key file that we are creating.
- -out: This tells OpenSSL where to place the certificate that we are creating.
The entirety of the prompts will look something like this:
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Kerala
Locality Name (eg, city) []:KYLM
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Amrita
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:AVIEW.IN
Email Address []:ictops.aerl.in
Update the SSL certificates Informations into the sites under nginx
root@ubuntu:/etc/nginx/sites-enabled# vi ictops
server {
listen 80; ## listen for ipv4; this line is default and implied
server_name localhost;
add_header X-Frame-Options "SAMEORIGIN";
location / {
root /var/www;
index index.html index.htm;
}
}
server {
listen 443;
server_name localhost;
location / {
root /var/www;
index index.html index.htm;
}
ssl on;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
}
Restart Nginx Service
service nginx restart
This should reload your site configuration, now allowing it to respond to both HTTP and HTTPS (SSL) requests.
Test your HTTPS Setup
leland@mail.postmanllc.net
ReplyDelete