{"id":525,"date":"2018-10-05T17:00:20","date_gmt":"2018-10-05T17:00:20","guid":{"rendered":"http:\/\/www.asianux.org.vn\/?p=525"},"modified":"2018-10-05T17:00:20","modified_gmt":"2018-10-05T17:00:20","slug":"howto-create-a-self-signed-ssl-certificate-on-nginx-for-centos-rhel","status":"publish","type":"post","link":"https:\/\/www.asianux.org.vn\/index.php\/2018\/10\/05\/howto-create-a-self-signed-ssl-certificate-on-nginx-for-centos-rhel\/","title":{"rendered":"HowTo: Create a Self-Signed SSL Certificate on Nginx For CentOS \/ RHEL"},"content":{"rendered":"<h2>A note about a self-signed certificates vs a third party issued certificates<\/h2>\n<figure class=\"wp-caption alignright\"><a href=\"https:\/\/www.cyberciti.biz\/media\/new\/images\/faq\/2013\/11\/ssl-https-cyberciti-0.biz.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" class=\"\" src=\"https:\/\/www.cyberciti.biz\/media\/new\/images\/faq\/2013\/11\/ssl-https-cyberciti-0.biz.png\" alt=\"Fig.01: Cyberciti.biz connection encrypted and verified by a third party CA called GeoTrust, Inc.\" width=\"341\" height=\"222\" title=\"\"><\/a><figcaption class=\"wp-caption-text\">Fig.01: Cyberciti.biz connection encrypted and verified by a third party CA called GeoTrust, Inc.<\/figcaption><\/figure>\n<ol>\n<li>Usually, an SSL certificate issued by a third party. It provides privacy and security between two computers (client and server) on a public network by encrypting traffic. CA (Certificate Authorities) may issue you a SSL certificate\u00a0<strong>that verify the organizational identity<\/strong>\u00a0(company name), location, and server details.<\/li>\n<li>A self-signed certificate encrypt traffic between client (browser) and server. However, it\u00a0<strong>can not verify the organizational identity<\/strong>. You are\u00a0<strong>not depend upon third party<\/strong>\u00a0to verify your location and server details.<\/li>\n<\/ol>\n<h2>Our sample setup<\/h2>\n<ul>\n<li>Domain name:\u00a0<kbd>theos.in<\/kbd><\/li>\n<li>Directory name:\u00a0<kbd>\/etc\/nginx\/ssl\/theos.in<\/kbd><\/li>\n<li>SSL certificate file for theos.in:\u00a0<kbd>\/etc\/nginx\/ssl\/theos.in\/self-ssl.crt<\/kbd><\/li>\n<li>ssl certificate key for theos.in:\u00a0<kbd>\/etc\/nginx\/ssl\/theos.in\/self-ssl.key<\/kbd><\/li>\n<li>Nginx configuration file for theos.in:\u00a0<kbd>\/etc\/nginx\/virtual\/theos.in.conf<\/kbd><\/li>\n<\/ul>\n<h2>Step #1: Make sure SSL aware nginx installed<\/h2>\n<p>Simply type the\u00a0<a href=\"https:\/\/www.cyberciti.biz\/faq\/unix-linux-bsd-display-nginx-version\/\" target=\"_blank\" rel=\"noopener\">following command to verify nginx version and feature<\/a>:<br \/>\n<code>$ \/usr\/sbin\/nginx -V<\/code><br \/>\nSample outputs<\/p>\n<pre>nginx version: nginx\/1.4.3\r\nbuilt by gcc 4.4.7 20120313 (Red Hat 4.4.7-3) (GCC) \r\n<strong>TLS SNI support enabled<\/strong>\r\nconfigure arguments: --prefix=\/etc\/nginx --sbin-path=\/usr\/sbin\/nginx --conf-path=\/etc\/nginx\/nginx.conf \r\n...\r\n....\r\n..\r\n<\/pre>\n<p>If nginx is not installed, type the following command to download and install nginx using\u00a0<a title=\"See Linux\/Unix yum command examples for more info\" href=\"https:\/\/www.cyberciti.biz\/faq\/rhel-centos-fedora-linux-yum-command-howto\/\" target=\"_blank\" rel=\"noopener\">yum command<\/a>:<br \/>\n<code># yum install nginx<\/code><br \/>\nSee\u00a0<a href=\"https:\/\/www.cyberciti.biz\/faq\/install-nginx-centos-rhel-6-server-rpm-using-yum-command\/\" target=\"_blank\" rel=\"noopener\">how to install Nginx web server On CentOS Linux 6 or Red Hat Enterprise Linux 6 using yum command<\/a>\u00a0for more information.<\/p>\n<h2>Step #2: Create a directory<\/h2>\n<p>Type the following mkdir command to create a directory to store your ssl certificates:<br \/>\n<code># mkdir -p \/etc\/nginx\/ssl\/theos.in<\/code><\/p>\n<p>Use the following cd command to change the directory:<br \/>\n<code># cd \/etc\/nginx\/ssl\/theos.in<\/code><\/p>\n<h2>Step #3: Create an SSL private key<\/h2>\n<p>To generate an SSL private key, enter:<br \/>\n<code># openssl genrsa -des3 -out self-ssl.key 1024<\/code><br \/>\nOR better try 2048 bit key:<br \/>\n<code># openssl genrsa -des3 -out self-ssl.key 2048<\/code><br \/>\nSample outputs:<\/p>\n<pre>Generating RSA private key, 1024 bit long modulus\r\n...++++++\r\n...............++++++\r\ne is 65537 (0x10001)\r\nEnter pass phrase for self-ssl.key: <strong>Type-Your-PassPhrase-Here<\/strong>\r\nVerifying - Enter pass phrase for self-ssl.key: <strong>Retype-Your-PassPhrase-Here<\/strong><\/pre>\n<p class=\"alert\">Warning: Make sure you remember passphrase. This passphrase is required to access your SSL key while generating csr or starting\/stopping ssl.<\/p>\n<h2>Step #4: Create a certificate signing request (CSR)<\/h2>\n<p>To generate a CSR, enter:<br \/>\n<code># openssl req -new -key self-ssl.key -out self-ssl.csr<\/code><br \/>\nSample outputs:<\/p>\n<pre>Enter pass phrase for self-ssl.key: <strong>Type-Your-PassPhrase-Here<\/strong>\r\nYou are about to be asked to enter information that will be incorporated\r\ninto your certificate request.\r\nWhat you are about to enter is what is called a Distinguished Name or a DN.\r\nThere are quite a few fields but you can leave some blank\r\nFor some fields there will be a default value,\r\nIf you enter '.', the field will be left blank.\r\n-----\r\nCountry Name (2 letter code) [XX]:IN\r\nState or Province Name (full name) []:Delhi\r\nLocality Name (eg, city) [Default City]:New Delhi\r\nOrganization Name (eg, company) [Default Company Ltd]:nixCraft LTD\r\nOrganizational Unit Name (eg, section) []:IT\r\nCommon Name (eg, your name or your server's hostname) []:theos.in\r\nEmail Address []:webmaster@nixcraft.com \r\n\r\nPlease enter the following 'extra' attributes\r\nto be sent with your certificate request\r\nA challenge password []:\r\nAn optional company name []:<\/pre>\n<h2>Step #5: Remove passphrase for nginx (optional)<\/h2>\n<p>You can remove passphrase from self-ssl.key for nginx server, enter:<br \/>\n<code># cp -v self-ssl.{key,original}<br \/>\n# openssl rsa -in self-ssl.original -out self-ssl.key<br \/>\n# rm -v self-ssl.original<\/code><br \/>\nSample outputs:<\/p>\n<pre>Enter pass phrase for self-ssl.original: <strong>Type-Your-PassPhrase-Here<\/strong>\r\nwriting RSA key<\/pre>\n<h2>Step #6: Create certificate<\/h2>\n<p>Finally, generate SSL certificate i.e. sign your SSL certificate with your own .csr file for one year:<br \/>\n<code># openssl x509 -req -days 365 -in self-ssl.csr -signkey self-ssl.key -out self-ssl.crt<\/code><br \/>\nSample outputs:<\/p>\n<pre>Signature ok\r\nsubject=\/C=IN\/ST=Delhi\/L=New Delhi\/O=nixCraft LTD\/OU=IT\/CN=theos.in\/emailAddress=webmaster@nixcraft.com\r\nGetting Private key<\/pre>\n<h2>Step #7: Configure the Certificate for nginx<\/h2>\n<p>Edit\u00a0<kbd>\/etc\/nginx\/virtual\/theos.in.conf<\/kbd>, enter:<br \/>\n<code># vi \/etc\/nginx\/virtual\/theos.in.conf<\/code><br \/>\nThe general syntax is as follows for nginx SSL configuration:<\/p>\n<pre>server {\r\n    #for ipv4\r\n    listen 443 ssl http2;\r\n    #for ipv6\r\n    #listen [::]:443 ssl http2;\r\n    ssl_certificate      \/path\/to\/self-ssl.crt;\r\n    ssl_certificate_key  \/path\/to\/self-ssl.key;\r\n    server_name theos.in;\r\n    location \/ {\r\n       ....\r\n       ...\r\n       ....\r\n    }\r\n}<\/pre>\n<p>Here is my sample config for theos.in:<\/p>\n<pre>server {\r\n    ###########################[Note]##############################\r\n    ## Note: Replace IP and server name as per your actual setup ##\r\n    ###############################################################\r\n\r\n    ## IP:Port and server name\r\n        listen 75.126.153.211:443 ssl http2;\r\n        server_name theos.in;\r\n\r\n    ## SSL settings\r\n        ssl_certificate \/etc\/nginx\/ssl\/theos.in\/self-ssl.crt;\r\n        ssl_certificate_key \/etc\/nginx\/ssl\/theos.in\/self-ssl.key;\r\n\r\n    ## SSL caching\/optimization \r\n        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;\r\n        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';\r\n    ssl_prefer_server_ciphers on;\r\n        ssl_prefer_server_ciphers on;\r\n              ssl_session_cache shared:SSL:50m;\r\n        ssl_session_timeout 1d;\r\n        ssl_session_tickets off;\r\n    \r\n    ## SSL log files   \r\n        access_log \/var\/log\/nginx\/theos.in\/ssl_theos.in_access.log;\r\n        error_log \/var\/log\/nginx\/theos.in\/ssl_theos.in_error.log;\r\n\r\n    ## Rest of server config goes here\r\n        location \/ {\r\n                proxy_set_header        Accept-Encoding   \"\";\r\n                proxy_set_header        Host              $http_host;\r\n                proxy_set_header        X-Forwarded-By    $server_addr:$server_port;\r\n                proxy_set_header        X-Forwarded-For   $remote_addr;\r\n                proxy_set_header        X-Forwarded-Proto $scheme;\r\n                proxy_set_header        X-Real-IP               $remote_addr;\r\n                proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;\r\n                ## Hey, ADD YOUR location \/ specific CONFIG HERE ##\r\n \r\n                ## STOP: YOUR location \/ specific CONFIG HERE ##\r\n        }\r\n}\r\n<\/pre>\n<h2>Step #8: Restart\/reload nginx<\/h2>\n<p>Type the following command<br \/>\n<code># \/usr\/sbin\/nginx -t<\/code><br \/>\nSample outputs:<\/p>\n<pre>nginx: the configuration file \/etc\/nginx\/nginx.conf syntax is ok\r\nnginx: configuration file \/etc\/nginx\/nginx.conf test is successful<\/pre>\n<p>To\u00a0<a href=\"https:\/\/www.cyberciti.biz\/faq\/howto-unix-linux-gracefully-reload-restart-nginx-webserver\/\" target=\"_blank\" rel=\"noopener\">gracefully restart\/reload nginx server<\/a>, type the following command:<br \/>\n<code># \/etc\/init.d\/nginx reload<\/code><br \/>\nOR<br \/>\n<code># \/usr\/sbin\/nginx -s reload<\/code><br \/>\nOR<br \/>\n<code># service nginx reload<\/code><\/p>\n<h2>Step #9: Open TCP HTTPS port # 443<\/h2>\n<p>Type the following command to open port # 443 for everyone:<br \/>\n<code># \/sbin\/iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT<\/code><br \/>\nSave new firewall settings:<br \/>\n<code># service iptables save<\/code><br \/>\nSee\u00a0<a href=\"https:\/\/www.cyberciti.biz\/faq\/linux-web-server-firewall-tutorial\/\" target=\"_blank\" rel=\"noopener\">how to setup firewall for a web server<\/a>\u00a0for more information.<\/p>\n<h2>Step 10: Test it<\/h2>\n<p>Fire a browser and type the following url:<\/p>\n<pre>https:\/\/theos.in\/<\/pre>\n<p>Sample outputs:<\/p>\n<figure class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.cyberciti.biz\/media\/new\/images\/faq\/2013\/11\/self-signed-certificate-warning.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" class=\"\" src=\"https:\/\/www.cyberciti.biz\/media\/new\/images\/faq\/2013\/11\/self-signed-certificate-warning.png\" alt=\"Fig.02: SSL connection is not verified due to self-signed certificate. Click the \" width=\"596\" height=\"503\" title=\"\"><\/a><figcaption class=\"wp-caption-text\">Fig.02: SSL connection is not verified due to self-signed certificate. Click the \u201cAdd Exception\u201d button to continue.<\/figcaption><\/figure>\n<h2>Step 11: Verify SSL certificats<\/h2>\n<p>You can\u00a0<a href=\"https:\/\/www.cyberciti.biz\/faq\/verify-ssl-certificate-openssl\/\" target=\"_blank\" rel=\"noopener\">verify SSL Certificate using the following command<\/a>:<br \/>\n<code># openssl verify pem-file<br \/>\n# openssl verify self-ssl.crt<\/code><\/p>\n<p>https:\/\/www.cyberciti.biz<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A note about a self-signed certificates vs a third party issued certificates Fig.01: Cyberciti.biz connection encrypted and verified by a third party CA called GeoTrust, Inc. Usually, an SSL certificate issued by a third party.&hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-525","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/posts\/525","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/comments?post=525"}],"version-history":[{"count":1,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/posts\/525\/revisions"}],"predecessor-version":[{"id":526,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/posts\/525\/revisions\/526"}],"wp:attachment":[{"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/media?parent=525"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/categories?post=525"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/tags?post=525"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}