Skip to content

Instantly share code, notes, and snippets.

@clemlatz

clemlatz/self-signed-ssl-certificate.md

Last active January 3, 2025 23:24
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save clemlatz/579b547cc04f205b929d32e4f243d4f9 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save clemlatz/579b547cc04f205b929d32e4f243d4f9 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. clemlatz revised this gist Jan 28, 2020. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion self-signed-ssl-certificate.md
    View file
    Original file line number Diff line number Diff line change
    @@ -10,7 +10,7 @@ Create a strong Diffie-Hellman group:

    Create a new configuration snippet file for Nginx:

    $ sudo nano /etc/nginx/snippets/self-signed.conf
    $ sudo vim /etc/nginx/snippets/self-signed.conf

    Add:

  2. clemlatz revised this gist Dec 15, 2016. 1 changed file with 12 additions and 0 deletions.
    12 changes: 12 additions & 0 deletions self-signed-ssl-certificate.md
    View file
    Original file line number Diff line number Diff line change
    @@ -45,6 +45,18 @@ Add:

    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    Configure Nginx site to use certificate:

    server {

    listen 443 ssl;
    server_name example.com;
    include snippets/self-signed.conf;
    include snippets/ssl-params.conf;

    #...
    }


    # 2. Configure computer: macOS

  3. clemlatz revised this gist Dec 6, 2016. 1 changed file with 3 additions and 3 deletions.
    6 changes: 3 additions & 3 deletions self-signed-ssl-certificate.md
    View file
    Original file line number Diff line number Diff line change
    @@ -56,10 +56,10 @@ Open the file with the Keychain Access utility:

    $ open cert.crt

    1. Add the certificate to the System keychain (not login). Authenticate.
    2. After it has been added, double-click it. You may have to authenticate again.
    1. Add the certificate to the System keychain (not login), authenticate.
    2. After it has been added, double-click it, authenticate again.
    3. Expand the "Trust" section.
    4. "When using this certificate," set to "Always Trust"
    4. Set "When using this certificate" to "Always Trust"

    That's it! Close Keychain Access and restart Chrome, and your self-signed certificate should be recognized now by the browser.

  4. clemlatz revised this gist Dec 6, 2016. 1 changed file with 22 additions and 7 deletions.
    29 changes: 22 additions & 7 deletions self-signed-ssl-certificate.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,27 +1,27 @@
    # 1. Configure server: Nginx

    1. Create the certificate:
    Create the certificate:

    $ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

    2. Create a strong Diffie-Hellman group:
    Create a strong Diffie-Hellman group:

    $ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

    3. Create a new configuration snippet file for Nginx:
    Create a new configuration snippet file for Nginx:

    $ sudo nano /etc/nginx/snippets/self-signed.conf

    3. Add:
    Add:

    ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
    ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

    4. Create a configuration snippet with strong encryption settings:
    Create a configuration snippet with strong encryption settings:

    $ sudo vim /etc/nginx/snippets/ssl-params.conf

    5. Add:
    Add:

    # from https://cipherli.st/
    # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
    @@ -48,7 +48,22 @@

    # 2. Configure computer: macOS

    1. From local computer, download certificate:
    From local computer, download the certificate:

    $ scp user@host:/etc/ssl/certs/nginx-selfsigned.crt ~/cert.crt

    Open the file with the Keychain Access utility:

    $ open cert.crt

    1. Add the certificate to the System keychain (not login). Authenticate.
    2. After it has been added, double-click it. You may have to authenticate again.
    3. Expand the "Trust" section.
    4. "When using this certificate," set to "Always Trust"

    That's it! Close Keychain Access and restart Chrome, and your self-signed certificate should be recognized now by the browser.


    Sources :
    * https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-16-04
    * http://www.robpeck.com/2010/10/google-chrome-mac-os-x-and-self-signed-ssl-certificates/#.WEbrS6LhB-g
  5. clemlatz revised this gist Dec 6, 2016. 1 changed file with 11 additions and 6 deletions.
    17 changes: 11 additions & 6 deletions self-signed-ssl-certificate.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,27 +1,27 @@
    # 1. Configure server: Nginx

    Create the certificate:
    1. Create the certificate:

    $ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

    Create a strong Diffie-Hellman group:
    2. Create a strong Diffie-Hellman group:

    $ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

    Create a new configuration snippet file for Nginx:
    3. Create a new configuration snippet file for Nginx:

    $ sudo nano /etc/nginx/snippets/self-signed.conf

    And add:
    3. Add:

    ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
    ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

    Create a configuration snippet with strong encryption settings:
    4. Create a configuration snippet with strong encryption settings:

    $ sudo vim /etc/nginx/snippets/ssl-params.conf

    And add:
    5. Add:

    # from https://cipherli.st/
    # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
    @@ -47,3 +47,8 @@ And add:


    # 2. Configure computer: macOS

    1. From local computer, download certificate:

    $ scp user@host:/etc/ssl/certs/nginx-selfsigned.crt ~/cert.crt

  6. clemlatz revised this gist Dec 6, 2016. 1 changed file with 3 additions and 1 deletion.
    4 changes: 3 additions & 1 deletion self-signed-ssl-certificate.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,3 +1,5 @@
    # 1. Configure server: Nginx

    Create the certificate:

    $ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
    @@ -44,4 +46,4 @@ And add:
    ssl_dhparam /etc/ssl/certs/dhparam.pem;


    # 2. Configure computer: macOS
  7. clemlatz revised this gist Dec 6, 2016. 1 changed file with 44 additions and 4 deletions.
    48 changes: 44 additions & 4 deletions self-signed-ssl-certificate.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,7 +1,47 @@
    Create the certificate :
    Create the certificate:

    sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
    $ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

    Create a strong Diffie-Hellman group :
    Create a strong Diffie-Hellman group:

    sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
    $ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

    Create a new configuration snippet file for Nginx:

    $ sudo nano /etc/nginx/snippets/self-signed.conf

    And add:

    ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
    ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

    Create a configuration snippet with strong encryption settings:

    $ sudo vim /etc/nginx/snippets/ssl-params.conf

    And add:

    # from https://cipherli.st/
    # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ecdh_curve secp384r1;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    #ssl_stapling on;
    #ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Disable preloading HSTS for now. You can use the commented out header line that includes
    # the "preload" directive if you understand the implications.
    #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

    ssl_dhparam /etc/ssl/certs/dhparam.pem;



  8. clemlatz renamed this gist Dec 6, 2016. 1 changed file with 4 additions and 3 deletions.
    7 changes: 4 additions & 3 deletions self-signed-ssl.md → self-signed-ssl-certificate.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,6 +1,7 @@

    Create the certificate :

    sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt



    Create a strong Diffie-Hellman group :

    sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
  9. clemlatz created this gist Dec 6, 2016.
    6 changes: 6 additions & 0 deletions self-signed-ssl.md
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,6 @@

    Create the certificate :

    sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt