Ubuntu Gutsy - self signed SSL certificates and Nginx

Secure connections to your website are vital when entering passwords or entering administration areas.

This article will take you through generating a self-signed certificate to use with Nginx.


But...

Yes, I know I already have an article regarding generating self signed certificates which can be found here.

Unfortunately, Nginx does not want to play with a straightforward pem file so we have to do some extra work and generate a passwordless key file as well.

Non commercial

Before we go any further I would also point out that self-signed certificates will produce warnings when accessed via an https link.

They are not suitable for commercial sites or any public facing site but are ideal for personal administration areas.

There are many sites that specialise in issuing recognised and guaranteed certificates. A search for 'ssl certificates' in your favourite search engine will provide many links.

SSL directory

There is a 'standard' Ubuntu/Debian location for certificates at /etc/ssl/ which contains folders called 'certs' and 'private'.

You are, of course, free to use any directory but in this article I will use the /etc/ssl/ directory to store the generated files.

This makes it easier to locate the certificates and is not dependant on using a particular server.

Home

Start off in your home directory and create a temporary folder so we can work from one place and not have files scattered all over the shop:

mkdir /home/demo/temp
...
cd /home/demo/temp

Key

First we need to create a private key. Note that this process will require a passphrase for the key - don't worry, we'll remove it later to make things easier:

openssl genrsa -des3 -out myssl.key 1024

As said, this will require you to enter a passphrase.

CSR

Now we need to create a CSR (Certificate Signing Request):

openssl req -new -key myssl.key -out myssl.csr

The process will ask for various details for the certificate. I entered the following for each question:

Country Name: GB

State or Province Name: Nottinghamshire

Locality Name: Nottingham

Organization Name: PickledOnion Ltd

Organizational Unit Name: Web Development

Common Name: admin.domain.com

Email Address: webadmin@domain.com

For the 'extra' attributes I simply pressed 'return' (i.e. I left them blank).

Note: For the Common Name I entered the domain name I want to associate with the certificate. In this case I want it for my administration area so I entered 'admin.domain.com'.

You are not restricted to using the certificate with just that domain but it will produce extra warnings if the Common Name does not match the URI.

Remove Passphrase

When we generated the myssl.key file, we had to enter a passphrase. One disadvantage of this is the need to enter the passphrase if the Slice is rebooted.

This is especially problematic if an unexpected reboot occurs as the boot sequence will simply stop until you enter the console via the SliceManager and enter it.

So unless you see a particular need to keep the passphrase, let's remove it:

cp myssl.key myssl.key.org
openssl rsa -in myssl.key.org -out myssl.key

You will be asked for the passphrase one last time to confirm it is a genuine request.

Now we have three files in the temp folder:

ls
...
myssl.csr  myssl.key  myssl.key.org

CRT

The last file we need generate is the actual ssl certificate:

openssl x509 -req -days 365 -in myssl.csr -signkey myssl.key -out myssl.crt

Good. Now we have the final piece in place as that generated our myssl.crt file.

Everything in its place

Now we need to copy the relevant files to the /etc/ssl/ directory.

First file to move is the certificate itself:

sudo cp myssl.crt /etc/ssl/certs/

and secondly, copy the key:

sudo cp myssl.key /etc/ssl/private/

Clean up

You are now free to delete the temp file and the four files we generated or, if you prefer, keep them around for a while until you know the ssl certificate works correctly.

Summary

Nginx requires more than the standard pem file that Apache is happy with. As such, we need to create a ssl key and a certificate file.

Once the files have been generated and moved to the /etc/ssl/ directory, we are now ready to configure Nginx to serve our domain from an HTTPS connection.

PickledOnion.

Article Comments:

Pete S. commented Wed Jan 02 01:10:31 UTC 2008:

http://www.cacert.org/ offers free SSL certificates -- you just supply a CSR.

If you import their root certificate into your browser, you avoid all the various error messages associated with self-signed certs (though due to the lack of ubiquity, they're probably not suitable for hosting stuff where public confidence is 100% necessary, like e-commerce).

They have several advantages over self-signed certs:

  • CRL/OCSP responder allows for revocation checking.
  • Once you trust their root, you trust any cert issued by them (be sure to evaluate them thoroughly before deciding to trust the root), which can be handy if you have to issue certs to a large number of servers and don't want to have to trust each cert individually.
  • It's easy to distribute their root certificate to all systems on a company network, making it less annoying to deploy many user systems to query a server.

Timur commented Mon Oct 13 09:36:31 UTC 2008:

A simpler way to create a CSR and new key without passphrase in one command: openssl req -new -nodes -keyout myssl.key -out myssl.csr

Spencer Alexander commented Thu Nov 20 20:46:29 UTC 2008:

Great article again!

When I created the key (the first step), I was required to do so as sudo to avoid errors. It might be helpful to others following this tutorial.

stephen commented Sun Jan 11 20:54:53 UTC 2009:

I just spent way to much time banging my head on this. When I add the following to my conf

server {
    listen          443;
    server_name     www.domain.com;
    rewrite ^/(.*)  https://domain.com/$1 permanent;
}

I kept getting "sslerrorrxrecordtoo_long". When I removed it, things were fine. ack.

karthik commented Mon Mar 21 10:41:42 UTC 2011:

Thanks a lot. This is excellent

I am struggling for 4 hrs. Finally this gives the result.

carlos commented Wed May 30 19:24:17 UTC 2012:

awesome post!

kostenlos spielen commented Fri Apr 05 00:08:50 UTC 2013:

I hope they are a comfort to you as you plan for your special day. This wish will be fulfilled by decorating the Lebanon outdoor venue with beautiful and fresh flowers.

If this does not match up your style, the invitation itself can be your principal color, and the script can be white.

5:03 PM - cameronfoster.blogspot.de commented Thu May 02 04:37:01 UTC 2013:

She is likely a WARRIOR PERSONALITY I talk about in the KWML Mastery Course on women, dating, love, and friendship. Don't leave the landscape designing and terrain optimization to the last moment. It's fast to build and play and will challenge your memory.

5:03 PM - cameronfoster.blogspot.de commented Thu May 02 04:37:32 UTC 2013:

She is likely a WARRIOR PERSONALITY I talk about in the KWML Mastery Course on women, dating, love, and friendship. Don't leave the landscape designing and terrain optimization to the last moment. It's fast to build and play and will challenge your memory.

http://generationdo.be/test_php.php?a[]=%3Ca+href=http://landscaping-ideas-for-front-yard.com/front- commented Fri Jun 21 05:18:20 UTC 2013:

You may need to know where certain items are in the store, and you may need help deciding which products would be a better fit for your needs. Do not try to tackle landscaping your whole property all at once. Employing certified arborists and only the highest level of degree of landscaping experts, Elite Grounds aims to be the best resource to go to.

Want to comment?


(not made public)

(optional)

(use plain text or Markdown syntax)