How To Make a Self-Signed SSL Certificate for Nginx Server in Linux

How To Make a Self-Signed SSL Certificate for Nginx Server in Linux

nginx.png

Introduction

TLS or Transport layer security and its forerunner SSL, which stands for secure socket layer, are used to protect the web traffics in a Protected manner and secure manner.

Using these methods, the Server can send web traffics safely without worrying about third-party access. The Certificate also helps users verify the identity of the sites that they are visiting.

Without the SSL certificate, you will find the alert which is mentioned the below image.

connection-is-not-private.webp

Prerequisite

  • You will need a non-root user with sudo privilege in your linux System.

  • You will also need Nginx Server installed on your system. If you would like to install LEMP Setup that is Linux, Nginx, My-Sql and PHP then that is fine too.

  • If you want to install only Nginx server then you can download and install it from here

When you have completed the prerequisites, Continue the next step.

Creating the SSL certificate

TLS/SSL only works with public certificate and private keys.The SSL key is kept secret in the Server. It is used to kept the content secure which is being sent to client site.

You can create a self-signed and certificate pair by OpenSSL command.

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

Explanation of Above Command.

Sudo - sudo command is used to give all privilege and permission to user.

OpenSSL - It is a very basic command to create a certificate with proper Keys and other files.

Req - This commands specifies that we want to use X.509 CSR(Certificate Signing Request).

nodes - This command tells that to skip the secure process of certificate with passphrase.

-days 365 - This command line depicts the time limit that this certificate will be valid only for 365 days.

-keyout - This tells the openSSL where to place the private keys.

-out - This tells where to place our certificate which we are creating.

After writing this command, you will be asked about yourself and your server.

Screenshot from 2022-03-21 11-49-51.png

Configure Nginx to use SSL

Now that your key and certificate files under the /etc/ssl directory have been created, you’ll need to modify your Nginx configuration to take advantage of them.

First, you will create a configuration snippet with the information about the SSL key and certificate file locations. Then, you will create a configuration snippet with a strong SSL setting that can be used with any certificates in the future. Finally, you will adjust your Nginx server blocks using the two configuration snippets you’ve created so that SSL requests can be handled appropriately.

Creating a Configuration Snippet Pointing to the SSL Key and Certificate

First, prefer your favorite text editor to create a new Nginx configuration file.

sudo nano /etc/nginx/snippets/self-signed.conf

Creating a Configuration Snippet with Strong Encryption Settings

Next, you will create another snippet that will define some SSL settings. This will set Nginx up with a strong SSL cipher suite and enable some advanced features that will help keep your server secure.

sudo nano /etc/nginx/snippets/ssl-params.conf

To set up Nginx SSL securely, we will adopt the recommendations from Cipherlist.eu. Cipherlist.eu is a useful and digestible resource for understanding encryption settings used for popular software.

For our purposes, copy the provided settings in their entirety, but first, you will need to make a few small modifications.

First, add your preferred DNS resolver for upstream requests. We will use Google’s (8.8.8.8 and 8.8.4.4) for this guide.

Second, comment out the line that sets the strict transport security header. Before uncommenting this line, you should take a moment to read up on HTTP Strict Transport Security, or HSTS, and specifically about the “preload” functionality. Preloading HSTS provides increased security, but can also have far-reaching negative consequences if accidentally enabled or enabled incorrectly.

Add the following into your ssl-params.conf snippet file:

ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers on;

Adjusting the Nginx Configuration to Use SSL

We will assume in this guide that you are using a custom server block configuration file in the /etc/nginx/sites-available directory. This guide also follows the conventions from the prerequisite Nginx tutorial and uses /etc/nginx/sites-available/your_domain for this example. Substitute your configuration filename as needed.

sudo cp /etc/nginx/sites-available/your_domain /etc/nginx/sites-available/your_domain.bak

Now, open the configuration file to make adjustments:

sudo nano /etc/nginx/sites-available/your_domain

Copy these lines

server {
listen 80;
listen [::]:80;
server_name your_domain your_domain.com;
root /var/www/your_domain.com/html;
index index.html index.htm index.nginx-debian.html;
}

Adjusting the Firewall

If you have the ufw firewall enabled, as recommended by the prerequisite guides, you’ll need to adjust the settings to allow for SSL traffic. Luckily, Nginx registers a few profiles with ufw upon installation.

You can review the available profiles by running the following:

sudo ufw app list

To allow HTTPS traffic, you can update permissions for the “Nginx Full” profile:

sudo ufw allow 'Nginx Full

Enabling the Changes in Nginx

With the changes and adjustments to your firewall complete, you can restart Nginx to implement the new changes.

First, check that there are no syntax errors in our files. You can do this by running sudo nginx -t:

sudo nginx -t

Changing to a Permanent Redirect

If your redirect worked correctly and you are sure you want to allow only encrypted traffic, you should modify the Nginx configuration to make the redirect permanent.

Open your server block configuration file again:

sudo nano /etc/nginx/sites-available/your_domain.com

Save and close the file.

Check your configuration for syntax errors:

sudo nginx -t

When you’re ready, restart Nginx to make the redirect permanent:

sudo systemctl restart nginx

After the restart, the changes will be implemented and your redirect is now permanent.

See you in the next one. Bye, bye.

Did you find this article valuable?

Support piyushyadav0191 by becoming a sponsor. Any amount is appreciated!