How to Create a Self-Signed SSL Certificate for Nginx on Linux

Why You Need a Self-Signed Certificate (and When Not To)

Creating a self-signed SSL certificate for Nginx on Linux is a quick way to enable HTTPS for local testing, development, or internal applications.In today’s web, HTTPS is non-negotiable. It encrypts communication between your users and your server, protecting sensitive data and building trust. While most production websites use certificates from trusted Certificate Authorities (CAs) like Let’s Encrypt or DigiCert, there are times when a self-signed certificate is incredibly useful:

• Development and Staging Environments: You’re testing your Nginx configuration, an application, or just want to ensure HTTPS works without buying a certificate.
• Internal Tools: For applications used only within your company, where you control client machines and can manually trust the certificate.
• Temporary Solutions: A quick fix while you await a CA-signed certificate.

However, remember this crucial point: Self-signed certificates will trigger security warnings in browsers for your users. This is because they aren’t issued by a publicly trusted authority. Never use a self-signed certificate for a public-facing production website.

Prerequisites: What You’ll Need

Before we dive in, make sure you have these in place:

• A Linux server (e.g., Ubuntu, CentOS, Debian)
• Nginx installed and running on your server
• openssl: This powerful command-line tool is usually pre-installed on most Linux distributions.
• Sudo privileges: You’ll need root access to create directories and modify Nginx configurations.

Step-by-Step Guide: Generating Your Certificate

We’ll use openssl to create both your private key and the self-signed certificate.

Step 1: Create a Dedicated Directory for Certificates

It’s good practice to keep your SSL files organized. Let’s create a directory within your Nginx configuration path:

Bash

sudo mkdir -p /etc/nginx/ssl

This command creates the /etc/nginx/ssl/ directory if it doesn’t already exist.

Step 2: Generate Your Private Key and Self-Signed Certificate

Now for the magic! This command will generate both files in one go:

Bash

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx-selfsigned.key -out /etc/nginx/ssl/nginx-selfsigned.crt

Let’s break down what each part of this command does:

• sudo openssl req: Initiates a new certificate signing request.
• -x509: Tells openssl to output a self-signed certificate directly.
• -nodes: “No DES encryption.” This means your private key won’t require a passphrase, allowing Nginx to start without manual input.
• -days 365: Sets the certificate’s validity to one year. You can adjust this as needed.
• -newkey rsa:2048: Generates a new RSA private key with a secure length of 2048 bits.
• -keyout /etc/nginx/ssl/nginx-selfsigned.key: Specifies the output file for your private key.
• -out /etc/nginx/ssl/nginx-selfsigned.crt: Specifies the output file for your self-signed certificate.

When you run this, you’ll be prompted for some information. Fill it in as follows:

Country Name (2 letter code) [AU]:**IN** <-- Your country code (e.g., US, UK, IN)
State or Province Name (full name) [Some-State]:**Karnataka** <-- Your state/province
Locality Name (eg, city) []:**Bengaluru** <-- Your city
Organization Name (eg, company) [Internet Widgits Pty Ltd]:**My Development Inc.** <-- Your company/organization
Organizational Unit Name (eg, section) []:**IT Dept** <-- Your department (optional)
Common Name (e.g. server FQDN or YOUR name) []:**dev.example.com** <-- **CRITICAL:** Use your server's domain name or IP address (e.g., example.com, your_server_ip, localhost)
Email Address []:**admin@dev.example.com** <-- Your email (optional)

Pay special attention to the Common Name! This should be the domain name or IP address you’ll use to access your Nginx server. If you’re just testing locally, localhost works too.

Step 3: Secure Your Private Key Permissions

The private key is sensitive! Set its permissions so only the root user can read it.

Bash

sudo chmod 600 /etc/nginx/ssl/nginx-selfsigned.key

This command restricts read and write access to the owner only.

Configuring Nginx to Use Your New Certificate

Now, let’s tell Nginx about your shiny new certificate.

Step 4: Edit Your Nginx Server Block

Open your Nginx configuration file. For many setups, this is /etc/nginx/sites-available/default.

Bash

sudo nano /etc/nginx/sites-available/default

Locate your server block and modify or add the following. We’ll include a redirect from HTTP to HTTPS for good measure.

Nginx

# Redirect HTTP to HTTPS
server {
    listen 80;
    listen [::]:80;
    server_name your_domain.com www.your_domain.com; # IMPORTANT: Replace with your actual domain or IP
    return 301 https://$host$request_uri;
}

# HTTPS Server Block
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name your_domain.com www.your_domain.com; # IMPORTANT: Replace with your actual domain or IP

    # Path to your self-signed certificate and key
    ssl_certificate /etc/nginx/ssl/nginx-selfsigned.crt;
    ssl_certificate_key /etc/nginx/ssl/nginx-selfsigned.key;

    # Recommended SSL settings for better security (optional but highly recommended)
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_stapling on;
    ssl_stapling_verify on;
    # resolver 8.8.8.8 8.8.4.4 valid=300s; # Uncomment if you use stapling and adjust DNS
    # resolver_timeout 5s;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";

    # Your web root and index files
    root /var/www/html;
    index index.html index.htm;

    location / {
        try_files $uri $uri/ =404;
    }
}

Key parts of the Nginx configuration:

• The first server block on port 80 redirects all incoming HTTP traffic to HTTPS.
• The second server block on port 443 (HTTPS) is where your SSL magic happens.
• ssl_certificate and ssl_certificate_key: These directives point to the files we just created.
• The ssl_protocols, ssl_ciphers, and other add_header lines are crucial for robust SSL security. Feel free to research and customize them further!

Step 5: Test Nginx Configuration and Restart

Before restarting, always test your Nginx configuration for syntax errors. This saves you from unexpected downtime!

Bash

sudo nginx -t

If you see syntax is ok and test is successful, you’re golden. Now, restart Nginx to apply the changes:

Bash

sudo systemctl restart nginx

# Or, if systemctl isn't available:

sudo service nginx restart

Accessing Your Website (and the Browser Warning)

Now for the moment of truth! Open your web browser and navigate to your server’s domain or IP address using https:// (e.g., https://your_domain.com or https://your_server_ip).

You will undoubtedly encounter a “Your connection is not private” or similar warning.

• For Chrome: Click “Advanced” -> “Proceed to [your domain/IP] (unsafe)”.
• For Firefox: Click “Advanced” -> “Accept the Risk and Continue”.

Once you bypass the warning, your website should load securely over HTTPS, confirming that Nginx is now using your self-signed certificate!

Final Thoughts & Next Steps

Congratulations! You’ve successfully implemented a self-signed SSL certificate for Nginx. While excellent for development and internal use, remember to upgrade to a CA-signed certificate (like a free one from Let’s Encrypt) for any public-facing production sites.

What are you building with your newly secured Nginx server? Let us know in the comments below! Sources