From the mind of a G33k
Here is how you can easily setup your own ssl certificate on a Debian server running NGINX
In this guide we're going to assume the following details:
Site Hostname: ssl.lg
Server Name: web01
Web Server: NGINX
Distro & Release: Debian 9
You can name these files anything that you want. I suggest using a naming schema that matches your site hostname so that if you run multiple webs on a single server you won't get confused.
- Create your SSL certificate
a. sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/ssl.lg.key -out /etc/ssl/certs/ssl.lg.crt
You will be asked several questions but most importantly make sure that your "Common Name" matches your site hostname.
- Now you'll want to create a Diffie-Hellman Group (This will take a long time...)
a. sudo openssl dhparam -out /etc/nginx/dhparam.pem 4096
- Setup your configuration snippets
a. sudo nano /etc/nginx/snippets/ssl.lg.self-signed.conf
b. Add "ssl_certificate /etc/ssl/certs/ssl.lg.crt;" and "ssl_certificate_key /etc/ssl/private/ssl.lg.key;"
c. sudo nano /etc/nginx/snippets/ssl-params.conf
d. Add the following
ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_dhparam /etc/nginx/dhparam.pem; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 ssl_session_timeout 10m; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; # Requires nginx >= 1.5.9 ssl_stapling on; # Requires nginx >= 1.3.7 ssl_stapling_verify on; # Requires nginx => 1.3.7 resolver 22.214.171.124 126.96.36.199 valid=300s; resolver_timeout 5s; # Disable strict transport security for now. You can uncomment the following # line if you understand the implications. # add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block";
4. Now we need to edit our site configuration
a. sudo nano /etc/nginx/sites-enabled/ssl.lg.conf
b. Add the following
listen 443 ssl; listen [::]:443 ssl; include snippets/ssl.lg.self-signed.conf; include snippets/ssl-params.conf;
c. Make sure you haven't made any errors by running an nginx test
sudo nginx -t
(ignore the "nginx: [warn] "ssl_stapling" ignored, issuer certificate not found" as it's not required for self signed certs)
5. Reload NGINX
a. sudo nginx -s reload
6. Check that SSL is enabled properly from a browser by visiting https://ssl.lg (Or whatever your site hostname is)
7. Click Advanced and then "Add Exception"
8. View the certificate to make sure that it is in fact yours!
9. Click "Confirm Security Exception"