From the mind of a G33k

Generic placeholder image
Creating a self signed ssl certificate with Debian and NGINX

Here is how you can easily setup your own ssl certificate on a Debian server running NGINX

In this guide we're going to assume the following details:

Site Hostname: ssl.lg
Server Name: web01
Web Server: NGINX
Distro & Release: Debian 9

You can name these files anything that you want. I suggest using a naming schema that matches your site hostname so that if you run multiple webs on a single server you won't get confused.

  1. Create your SSL certificate
    a. sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/ssl.lg.key -out /etc/ssl/certs/ssl.lg.crt
    You will be asked several questions but most importantly make sure that your "Common Name" matches your site hostname.

  2. Now you'll want to create a Diffie-Hellman Group (This will take a long time...)
    a. sudo openssl dhparam -out /etc/nginx/dhparam.pem 4096
  3. Setup your configuration snippets
    a. sudo nano /etc/nginx/snippets/ssl.lg.self-signed.conf
    b. Add "ssl_certificate /etc/ssl/certs/ssl.lg.crt;" and "ssl_certificate_key /etc/ssl/private/ssl.lg.key;"

    c. sudo nano /etc/nginx/snippets/ssl-params.conf
    d. Add the following
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout  10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable strict transport security for now. You can uncomment the following
# line if you understand the implications.
# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

4. Now we need to edit our site configuration
    a. sudo nano /etc/nginx/sites-enabled/ssl.lg.conf
    b. Add the following

        listen 443 ssl;
        listen [::]:443 ssl;
        include snippets/ssl.lg.self-signed.conf;
        include snippets/ssl-params.conf;


     c. Make sure you haven't made any errors by running an nginx test
        sudo nginx -t
        (ignore the "nginx: [warn] "ssl_stapling" ignored, issuer certificate not found" as it's not required for self signed certs)

5. Reload NGINX
    a. sudo nginx -s reload

6. Check that SSL is enabled properly from a browser by visiting https://ssl.lg (Or whatever your site hostname is)

7. Click Advanced and then "Add Exception"

8. View the certificate to make sure that it is in fact yours!

9. Click "Confirm Security Exception"