Create self-signed SSL Certificate using openssl

1. Create Certificate Authority

• create pirvate key

openssl genrsa -des3 -out myrootCA.key 2048

• create root certificate

openssl req -x509 -new -nodes -key myrootCA.key -sha256 -days 1825 -out myrootCA.pem

2. Create signed certificate

• Generate private key

openssl genrsa -out test.local.key 2048

• Generate CSR

 openssl req -new -key test.local.key -out test.local.csr

• create a file to define Subject Alternative Name (SAN) for this SSL certificate

nano test.local.ext

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = test.local
DNS.2 = *.test.local

• create certificate

openssl x509 -req -in test.local.csr -CA myrootCA.pem -CAkey myrootCA.key -CAcreateserial -out test.local.crt -days 1825 -sha256 -extfile test.local.ext

3. Config Nginx

• create new folder 'ssl' in /etc/nginx
• copy test.local.key and test.local.crt to /etc/nginx/ssl
• do config like below

 #SSL parameters
        listen 443;
        ssl on;
        ssl_certificate /etc/nginx/ssl/test.local.crt;
        ssl_certificate_key /etc/nginx/ssl/test.local.key;
        ssl_session_timeout 30m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECD$
        ssl_prefer_server_ciphers on;