How to Create an SSL Certificate on Nginx for Ubuntu 12.04


Self Signed Certificates are useful for securing the information between web server and the user. A secure connection will be made by encrypting the site’s information. Encryption makes it difficult for an unauthorized person to access site’s information.  An SSL certificate can reveal the virtual private server’s identification information to the site visitors.

This tutorial will guide you to create and install Self Signed Certificates on Nginx for Ubuntu 12.04.

Initial Set Up

This tutorial will require root privileges for the user. Please refer to this tutorial for guidance on server set up and privileges for users.

Before creating SSL, you need to have Nginx installed on your VPS. If it is not installed, you can do it with the following steps:

sudo apt-get install nginx


Create a Directory for SSL Certificate

The SSL certificate will include two things: the server key and the certificate itself. You have to create a new directory to store the server key and certificate. Use this command to create the directory:

sudo mkdir /etc/nginx/ssl

Now, go to the new directory in order to perform further steps.

cd /etc/nginx/ssl


Create Server Key and Certificate Signing Request

Here we are going to create the private server key.  I will be using 1024 for simplicity. You can use any size key you wish.

You will have to enter a passphrase. The “-des3” option assigns the requirement for a passphrase for heightened security. Make sure you make a note of this passphrase, as it will be required for accessing the certificate.

sudo openssl genrsa -des3 -out server.key 1024

Now, create the certificate signing request:

sudo openssl req -new -key server.key -out server.csr

You will be given a display of fields to be entered at your command prompt. Fill in as required. Enter your domain name or site’s IP address for ‘Common Name’.

Your terminal screen should look similar to this:

You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank. 
For some fields there will be a default value,If you enter '.', the field will be left blank.


Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:StateName
Locality Name (eg, city) []:CityName
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CompanyName
Organizational Unit Name (eg, section) []:OrganizationName
Common Name (e.g. server FQDN or YOUR name) []                 
Email Address []:[email protected]


Removal of Passphrase

Now, let’s remove the passphrase using the following command:

sudo cp server.key server.key.orgsudo openssl rsa -in -out server.key

In case if Nginx crashes or needs to reboot, you will have to re-enter the passphrase to get your web server back online. Because of this issue, it would want you to remove the passphrase even if it provides security.


Setting Up the Certificate

Now, let’s proceed to signing your certificate.  You can specify the validity of the certificate by changing the 365 days to your preference. By default, it expires after one year.

sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

The self-signed SSL certificate and server key will be created and placed in the newly created directory.

Now, you need to set up the virtual hosts to display the new certificate. For that we will be creating a new file with the default text and layout as the standard virtual host file.

sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/example

I have named it ‘example’ in this tutorial. You can replace with the name of your choice.

Open up that new file:

sudo nano /etc/nginx/sites-available/example

Search for the ‘# HTTPS server’ section in the file. The lines under ‘HTTPS Server’ have to be uncommented. Also make necessary changes to the config file so as to match your domain name or IP address. The config file should look something like this:


# HTTPS server 
server {
        listen 443;
        root /usr/share/nginx/www;
        index index.html index.htm;
        ssl on;
        ssl_certificate /etc/nginx/ssl/server.crt;
        ssl_certificate_key /etc/nginx/ssl/server.key;

Also, make sure that the following two lines are commented out in the beginning of the file:

# Make site accessible from http://localhost/
# server_name localhost;


Activate the New Virtual Host

In this last step, activate the host by creating a link between sites-available and sites-enabled directories.

sudo ln -s /etc/nginx/sites-available/example /etc/nginx/sites-enabled/example

Now, you need to restart and reload Nginx:

sudo service nginx restart

You are done.

Verify by typing https://youraddress in your browser to view the created certificate.

KB Admin has written 46 articles