How to create self-signed ssl certificate for nginx (Apple Mac) [2021 tutorial]

I believe this questions bugged many of you and you spend dozens of minutes googling that until you find that one tutorial.

And guess what. I did the same. I found a perfect tutorial (I will put a link in the below the article) and wanted to update the tutorial so as it is easier to read and implement for a custom nginx vhost.

So here it goes!

Prerequisities:

Guide

1. Generate a certificate and a key

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /usr/local/etc/nginx/ssl/myhost.key -out /usr/local/etc/nginx/ssl/myhost.crt

A couple of thoughts on that:

  • you can include them (*.key and *.cert) in any directory you want
  • you can name them (*.key and *.cert) with any name you want

Just to keep thinkgs clean, I recommend storing the ssl keys inside the newly created directory ssl inside your nginx folder.

2. Generate a cipher file

openssl dhparam -out /usr/local/etc/nginx/ssl/dhparam.pem 2048

3. Generate configuration settings file

Fire up the text editor in your terminal and create a file named ssl-params.conf and insert there the contents below:

# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
#ssl_stapling on;
#ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /usr/local/etc/nginx/ssl/dhparam.pem;

A couple of thoughts on that:

  • you may want to remove add_header declarations if you specifically don’t want those headers included
  • pay attention to the last line, you should alter the path for the file dhparam.pem that we generated in the 2nd step earlier

That’s it. This simple file is just a generic thing that needs to be included.

4. Include everything created above into the nginx configuration

In the steps above, we generated 3 files:

  • myhost.crt
  • myhost.key
  • ssl-params.conf

Now’s the time to include those files into our nginx configuration.

Those files are to be included within the server {} configuration, for example:

server {

    listen 443 ssl;
    server_name myhost.com;

    ssl_certificate /usr/local/etc/nginx/ssl/myhost.crt;
	ssl_certificate_key /usr/local/etc/nginx/ssl/myhost.key;


    include /usr/local/etc/nginx/ssl/ssl-params.conf;
}

Moving on

That’s it. By doing so you will have generated self-signed ssl certificate on your local computer.

It may happen that the web browsers will throw an error saying that your connections is not secure. You can happily ignore that because you know you don’t care much about validity of your self-signed certificate.

BUT. The latest Apple Mac operating systems block self-signed certificated by default and you will be unable to access the website (for example from google chrome).

And to remedy this you need to import the newly self-signed ssl certificate into your keychain.

  1. find the newly generated myhost.cert file and double click it (or when working from terminal use command open myhost.cert and it will open up the file)
  2. it will be opened by Apple KeyChain – into which you will want to add this certificate
  3. within the place where to add the certificate select from “login/system/3rd option”… select system
  4. Then, after it has been added, find the newly imported certificate in the keychain and double click it
  5. find the “trust” section and from the option list select “Always trust

Now just restart the chrome browser and it should work!

Closing remarks

Generating self signed certificate is pretty easy. As a rule of thumb you can use that you jut need to generate the cert and the key file, a cipher and include them in the vhost.

The hardest things it to find a correct combination of:

  • your operating system
  • the web server you are running (apple+apache, apple+nginx, windows+nginx, linux+apache,…etc)

Also, self-signed certificates are great way how to work with OAuth2 on localhost, since most of the time, you need to put redirect_uri in its HTTPS version.

Until next time,

Yours in coding,

Ivan

Source:

Credits:

Leave a comment

Your email address will not be published. Required fields are marked *