NGINX - Managing SSL Certificates Using OpenSSL

45 minutes
  • 4 Learning Objectives

About this Hands-on Lab

Before we can start building our world-changing website or application on LEMP, we have to lay the foundation – the stack. In this hands-on lab, we will walk through the creation of self-signed SSL certificates.

Completing this lab will provide have a good understanding of how to create SSL certificates using OpenSSL on Ubuntu Linux.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Create a Certificate Authority Private Key and Certificate

Become root:

sudo su -

Create a directory to store our certificates:

mkdir -p /etc/nginx/certificates
cd /etc/nginx/certificates

Generate a private key for the CA:

openssl genrsa 2048 > ca-key.pem

Generate the X509 certificate for the CA. For this step, just hit Enter for all the questions and use the default answers:

openssl req -new -x509 -nodes -days 365000 
      -key ca-key.pem -out ca-cert.pem
Create a Private Key for the NGINX Server

Generate a private key and create a certificate request for the NGINX server:

openssl req -newkey rsa:2048 -days 365000 
      -nodes -keyout server-key.pem -out server-req.pem

We will have to answer some questions.

Process the key to remove the passphrase:

openssl rsa -in server-key.pem -out server-key.pem

We should see the following: writing RSA key

Create a Self-Signed Certificate for the NGINX Server

Generate a self-signed X509 certificate for the NGINX server:

openssl x509 -req -in server-req.pem -days 365000 
      -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 
      -out server-cert.pem

We now have self-signed X509 certificates for the NGINX server in the /etc/nginx/certificates directory.

We need to allow the nginx user access to the certificates. Add read permission for group and other:

chmod 644 *
Verify the Self-Signed Certificate for the NGINX Server

Let’s use the openssl verify command to verify that the X509 certificate was correctly generated:

openssl verify -CAfile ca-cert.pem server-cert.pem

We should see the following: server-cert.pem: OK

Additional Resources

Big State College (BSC) is a Large Ten Conference school in a Midwestern state. BSC is looking to deploy a centralized web hosting service using the LEMP stack.

As the engineers tasked with executing this project, we will be creating SSL certificates using OpenSSL on an Ubuntu Linux server. Let's begin!

Connecting to the Lab Server

Use the credentials provided on the hands-on lab overview page, and log in using an SSH connection to the Public IP or DNS of the server as cloud_user.

Making a SSH connection using the ssh command. Replace <<public_IP_or_DNS>> with the Public IP or DNS provided on the overview page.

ssh cloud_user@<<public_IP_or_DNS>>

If you can't use ssh or prefer a GUI client, use the credentials provided on the hands-on lab overview page to configure your SSH connection to the lab server.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?