SSL Key and Certificate creation in Nginx:
Ubuntu@Server:/etc/nginx$ mkdir ssl
Ubuntu@Server:/etc/nginx$ cd ssl
//Below commands are explained at the end of this....
Ubuntu@Server:/etc/nginx/ssl$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/dmodi_nginx.key -out /etc/nginx/ssl/dmodi_nginx.crt
[sudo] password for wibmoapp:
Generating a 2048 bit RSA private key
...................................+++
.....................................+++
writing new private key to '/etc/nginx/ssl/dmodi_nginx.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Karnataka
Locality Name (eg, city) []:Bengaluru
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Wibmo
Organizational Unit Name (eg, section) []:Payzapp Team
Common Name (e.g. server FQDN or YOUR name) []:www.deepakmodi.com
Email Address []:deepak.modi@wibmo.com
Ubuntu@Server:/etc/nginx/ssl$ ls -lrth
total 8.0K
-rw-r----- 1 root root 1.7K Feb 27 18:53 dmodi_nginx.key
-rw-r----- 1 root root 1.5K Feb 27 18:53 dmodi_nginx.crt
Ubuntu@Server:/etc/nginx/ssl$
Now modify the nginx.conf file:
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
listen 443 ssl;
root /usr/share/nginx/html;
index index.html index.htm;
server_name your_domain.com;
ssl_certificate /etc/nginx/ssl/dmodi_nginx.crt;
ssl_certificate_key /etc/nginx/ssl/dmodi_nginx.key;
location / {
try_files $uri $uri/ =404;
}
}
Restart the Nginx:
service nginx restart
Now Try:
http://server_domain_or_IP
and
https://server_domain_or_IP
Command Explanation:
openssl: This is the basic command line tool for creating and managing OpenSSL certificates, keys, and other files.
req: This subcommand specifies that we want to use X.509 certificate signing request (CSR) management. The "X.509"
is a public key infrastructure standard that SSL and TLS adheres to for its key and certificate management.
We want to create a new X.509 cert, so we are using this subcommand.
-x509: This further modifies the previous subcommand by telling the utility that we want to make a self-signed
certificate instead of generating a certificate signing request, as would normally happen.
-nodes: This tells OpenSSL to skip the option to secure our certificate with a passphrase. We need Nginx to be
able to read the file, without user intervention, when the server starts up. A passphrase would prevent
this from happening because we would have to enter it after every restart.
-days 365: This option sets the length of time that the certificate will be considered valid. We set it for one year here.
-newkey rsa:2048: This specifies that we want to generate a new certificate and a new key at the same time. We did
not create the key that is required to sign the certificate in a previous step, so we need to create it along
with the certificate. The rsa:2048 portion tells it to make an RSA key that is 2048 bits long.
-keyout: This line tells OpenSSL where to place the generated private key file that we are creating.
-out: This tells OpenSSL where to place the certificate that we are creating.
Wednesday, February 27, 2019
Nginx Key and Certificate Creation
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment