Install an OpenSSL self-signed certificate with nginx

An issue with sudo?

Please don’t use the root account
If you configure your server directly as root, don’t forget to remove sudo from each command.
If you set a password for the root account, the sudo command won’t be accepted. Connect directly as root to execute commands.
You can also reinstall your system leaving the root password empty during installation.
sudo will install and work properly.

Generate the certificate and the key#

Recommended security
It is recommended to use ed25519 which corresponds to the current security standard.
However it is not compatible everywhere, especially on legacy systems.
In this case RSA is used, it is preferable to set a long key length.

sudo openssl req -x509 -days 365 -out mycert.crt -nodes -newkey rsa:4096 -keyout mykey.key

↩️ Fill in the different information of the certificate

Generating a RSA private key
..................................+++++
........................................................+++++
writing new private key to 'mykey.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:RHONE
Locality Name (eg, city) []:maville
Organization Name (eg, company) [Internet Widgits Pty Ltd]:xsec
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:web.it.fr
Email Address []:test@gmail.com

TIP
Common Name must be filled in with the domain name!

OpenSSL has generated the certificate and the key in the directory where you are at the time you entered the command.
You can move/rename them as you wish.

Edit the nginx configuration file#

server {
        listen 80 default_server;
        listen [::]:80 default_server;
        root /var/www/html;
        index index.html index.htm index.nginx-debian.html;
        server_name _;
        location / {
                try_files $uri $uri/ =404;
        }
}

At the top of the file is a server configuration block.
It listens on port 80:HTTP which points to /var/www/html then an index page defined in index line 5.
As we are going to add a server configuration block that listens on port 443:HTTPS, we need to change it to avoid conflicts:

server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name _;
        return 301 https://$host$request_uri;
}

Ligne 5 Redirects requests from port 80 to port 443.

:icon-file-symlink-file: Add the SSL configuration to the end of the file

server {
        listen 443 ssl;
        server_name _;
        root /var/www/html;
        ssl_certificate /var/www/sites/client1/mycert.crt;
        ssl_certificate_key /var/www/sites/client1/mykey.key;
        index index.html index.htm index.nginx-debian.html;
}

Ligne 4 Remplacer le chemin par le votre.
Ligne 5-6 Remplacer les chemins par les votres.

The configuration file then looks like this (without the comments):

server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name _;
        return 301 https://$host$request_uri;
}

server {
        listen 443 ssl;
        server_name _;
        root /var/www/html;
        ssl_certificate /var/www/sites/client1/mycert.crt;
        ssl_certificate_key /var/www/sites/client1/mykey.key;
        index index.html index.htm index.nginx-debian.html;
}

Restart nginx#

sudo service nginx restart

TIP
You can now view your website with your self-signed certificate (https://monsite.local for example).