// Tutorial //

How To Create a SSL Certificate on nginx for Ubuntu 12.04

Published on June 8, 2012
Default avatar
By Etel Sverdlov
Developer and author at DigitalOcean.
How To Create a SSL Certificate on nginx for Ubuntu 12.04

Status: Deprecated

This article covers a version of Ubuntu that is no longer supported. If you are currently operate a server running Ubuntu 12.04, we highly recommend upgrading or migrating to a supported version of Ubuntu:

Reason: Ubuntu 12.04 reached end of life (EOL) on April 28, 2017 and no longer receives security patches or updates. This guide is no longer maintained.

See Instead:
This guide might still be useful as a reference, but may not work on other Ubuntu releases. If available, we strongly recommend using a guide written for the version of Ubuntu you are using. You can use the search functionality at the top of the page to find a more recent version.

About Self-Signed Certificates

A SSL certificate is a way to encrypt a site's information and create a more secure connection. Additionally, the certificate can show the virtual private erver's identification information to site visitors. Certificate Authorities can issue SSL certificates that verify the server's details while a self-signed certificate has no 3rd party corroboration.

Set Up

The steps in this tutorial require the user to have root privileges. You can see how to set that up in the Initial Server Setup Tutorial in steps 3 and 4.

Additionally, you need to have nginx already installed and running on your VPS. If this is not the case, you can download it with this command:

sudo apt-get install nginx

Step One—Create a Directory for the Certificate

The SSL certificate has 2 parts main parts: the certificate itself and the public key. To make all of the relevant files easy to access, we should create a directory to store them in:

 sudo mkdir /etc/nginx/ssl

We will perform the next few steps within the directory:

 cd /etc/nginx/ssl

Step Two—Create the Server Key and Certificate Signing Request

Start by creating the private server key. During this process, you will be asked to enter a specific passphrase. Be sure to note this phrase carefully, if you forget it or lose it, you will not be able to access the certificate.

sudo openssl genrsa -des3 -out server.key 2048

Follow up by creating a certificate signing request:

sudo openssl req -new -key server.key -out server.csr

This command will prompt terminal to display a lists of fields that need to be filled in.

The most important line is "Common Name". Enter your official domain name here or, if you don't have one yet, your site's IP address. Leave the challenge password and optional company name blank.

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:NYC
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Awesome Inc
Organizational Unit Name (eg, section) []:Dept of Merriment
Common Name (e.g. server FQDN or YOUR name) []:example.com                  
Email Address []:webmaster@awesomeinc.com

Step Three—Remove the Passphrase

We are almost finished creating the certificate. However, it would serve us to remove the passphrase. Although having the passphrase in place does provide heightened security, the issue starts when one tries to reload nginx. In the event that nginx crashes or needs to reboot, you will always have to re-enter your passphrase to get your entire web server back online.

Use this command to remove the password:

sudo cp server.key server.key.org
sudo openssl rsa -in server.key.org -out server.key

Step Four— Sign your SSL Certificate

Your certificate is all but done, and you just have to sign it. Keep in mind that you can specify how long the certificate should remain valid by changing the 365 to the number of days you prefer. As it stands this certificate will expire after one year.

 sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

You are now done making your certificate.

Step Five—Set Up the Certificate

Now we have all of the required components of the finished certificate.The next thing to do is to set up the virtual hosts to display the new certificate.

Let's create new file with the same default text and layout as the standard virtual host file. You can replace "example" in the command with whatever name you prefer:

sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/example

Then go ahead and open up that new file:

 sudo nano /etc/nginx/sites-available/example

Scroll down to the bottom of the file and find the section that begins with this:

# HTTPS server

server {
        listen 443;
        server_name example.com;

        root /usr/share/nginx/www;
        index index.html index.htm;

        ssl on;
        ssl_certificate /etc/nginx/ssl/server.crt;
        ssl_certificate_key /etc/nginx/ssl/server.key; 
}

Uncomment within the section under the line HTTPS Server. Match your config to the information above, replacing the example.com in the "server_name" line with your domain name or IP address. Subsequently, add in the correct directory for your site (the above configuration includes the default nginx page).

Additionally, make sure that both of these lines are commented out in the line toward the beginning of the file that says:

# Make site accessible from http://localhost/
# server_name localhost;

Step Six—Activate the Virtual Host

The last step is to activate the host by creating a symbolic link between the sites-available directory and the sites-enabled directory.

 sudo ln -s /etc/nginx/sites-available/example /etc/nginx/sites-enabled/example

Then restart nginx:

 sudo service nginx restart

Visit https://youraddress

You will see your self-signed certificate on that page!

See More

Once you have setup your SSL certificate on the site, you can Install an FTP server if you haven't done so yet.

Resources

By Etel Sverdlov

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in our Questions & Answers section, find tutorials and tools that will help you grow as a developer and scale your project or business, and subscribe to topics of interest.

Sign up
About the authors
Default avatar
Developer and author at DigitalOcean.

Still looking for an answer?

Was this helpful?
10 Comments

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Worth noting, in case anyone else has this issue, I had setup UFW (Ultimate FireWall) and had only left open my web and SSH ports. Thus SSL on 443 or whatever post you use, didn’t work.

Dont forget to add this rule to UFW or IPTABLES!!

missing s in “virtual private erver’s identification” in first paragraph

This comment has been deleted

Can somebody please let me know what I need to change in my nginx.conf file? I feel like I have tried everything that people say has worked for them, but I keep getting “400 Bad Request The plain HTTP request was sent to HTTPS port” when I visit localhost:443. Thanks in advance.

server { listen 80;

listen 443 ssl;

root /usr/share/nginx/www; 
index index.html index.htm index.php;

server_name localhost;

ssl on;
ssl_certificate  /usr/local/etc/nginx/ssl/server.crt;
ssl_certificate_key /usr/local/etc/nginx/ssl/server.key;

location / {
    proxy_pass http://localhost:8888/;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
}

location /public {
    root /usr/local/var/www;
}

}

[EDIT] Tried cURL and got: curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error

I don’t know what I am doing wrong, but I keep getting:

SSL connection error

ERR_SSL_PROTOCOL_ERROR

Error message

My nginx conf looks like this:

# carsonevans.ca settings
#

# Catch http://carsonevans.ca, and http://www.carsonevans.ca
#
server {
	listen 80;
	listen [::]:80;
	server_name www.carsonevans.ca carsonevans.ca;

	# Redirect to https://www.carsonevans.ca
	return 301 https://www.carsonevans.ca$request_uri;
}

# Catch http://www.carsonevans.ca
#
server {
	listen 443;
	listen [::]:443;
	server_name www.carsonevans.ca;

	# Redirect to http://carsonevans.ca
	return 301 https://carsonevans.ca$request_uri;
}

# Catch https://carsonevans.ca
#
server {
	listen 443;
	listen [::]:443;
	server_name carsonevans.ca;

	root /usr/share/nginx/carsonevans.ca;
	index index.html index.htm;

	ssl on;
	ssl_certificate /etc/nginx/ssl/server.crt;
	ssl_certificate_key /etc/nginx/ssl/server.key;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers HIGH:!aNULL:!MD5;
	ssl_prefer_server_ciphers on;

	location / {
		try_files $uri $uri/ =404;
	}
}

I have checked that the certificate and key are in the location specified by the conf file. I just get even get a connection.

This comment has been deleted

i m blocked at step five plz help me


sudo cp /etc/nginx/sites-available/default no such file or directory

This comment has been deleted

I could not make the certificate work. Followed the other tutorial, but instead of writing it as described there: sudo openssl req -new -key server.key -out server.csr

…I did like this: sudo openssl req -new -key appname.key -out appname.pem and after signing in my certificate, set up it and activate my virtual host, if I type ngynx -t, I get this:

nginx: configuration file /etc/nginx/nginx.conf test failed```

What am I doing wrong? I have double-check to see if my /etc/nginx/sites-available/appname was good, and it does.

When I run #sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt I get the error Signature did not match the certificate request What is going on?