Make A Self-signed SSL certificate
cd /etc/nginx openssl req -new -x509 -nodes -out server.crt -keyout server.key chmod 600 server.key
Example Configuration Part
ssl on; ssl_certificate /etc/nginx/server.crt; ssl_certificate_key /etc/nginx/server.key;
As A Force-HTTPS Reverse Proxy
proxy_redirect http:// $scheme:// proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Scheme $scheme;
Verify A CRT Matches A KEY
openssl x509 -noout -modulus -in server.crt | openssl md5 openssl rsa -noout -modulus -in myserver.key | openssl md5
If the output are not the same, then they do not match and won't work on Nginx.
Generating a Certificate Signing Request (CSR)
openssl req -new -newkey rsa:2048 -nodes -keyout $DOMAIN.key -out $DOMAIN.csr
Country Code: The two-letter International Organization for Standardization (ISO-) format country code for the country in which your organization is legally registered. Click the link below for a complete list of ISO country codes. ISO Country Codes
- State/Province: Name of state, province, region, territory where your organization is located. Please enter the full name. Do not abbreviate
- City/Locality: Name of the city/locality in which your organization is registered/located. Please spell out the name of the city/locality. Do not abbreviate.
- Organization: The name under which your business is legally registered. The listed organization must be the legal registrant of the domain name in the certificate request. If you are enrolling as a small business/sole proprietor, please enter the certificate requester's name in the "Organization" field, and the DBA (doing business as) name in the "Organizational Unit" field.
- Organizational Unit: Optional. Use this field to differentiate between divisions within an organization. For example, "Engineering" or "Human Resources." If applicable, you may enter the DBA (doing business as) name in this field.
Common name: The name entered in the "CN" (common name) field of the CSR MUST be the fully-qualified domain name for the website you will be using the certificate for (e.g., "www.domainnamegoeshere"). Do not include the "http://" or "https://" prefixes in your common name. Do NOT enter your personal name in this field.
If you are requesting a Wild Card certificate, please add an asterisk (*) on the left side of the common name (e.g., "*.domainnamegoeshere.com"). This will secure all subdomains of the common name.
NOTE: If you enter "www.domainnamegoeshere.com" as the Common Name in your certificate signing request, the certificate will secure both "www.domainnamegoeshere.com" and "domainnamegoeshere.com." And vice versa.