Self-signed certificate

Chuntung

Oct 25, 2019

Prerequisite: OpenSSL installed on Linux.

Generate CA Root Cert

# generate CA key, password required
openssl genrsa -des3 -out ca.key 2048

# remove password if needed
openssl rsa -in ca.key -out ca.key

# generate CA cert, valid for 10 years
# "Common Name" is used for identity, e.g. "CA"
openssl req -new -x509 -key ca.key -out ca.pem -days 3650

Issue cert from request

# generate private key, similar to CA key, or just use CA key
openssl genrsa -des3 -out ssl.key 2048
openssl rsa -in ssl.key -out ssl.key

# generate cert req
# "Common Name" can be inputed with your domain
openssl req -new -key ssl.key -out ssl.csr

# issue cert by CA Root Cert
openssl x509 -req -days 3650 -in ssl.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out ssl.pem

Config in Nginx

ssl_certificate /path/to/cert/ssl.pem;
ssl_certificate_key /path/to/cert/ssl.key;