Create an SSL certificate on Ubuntu

Soap WebService Debugging Tool: Soap UI, can be downloaded to play a play. Introduction

TLS, or transport Layer Security, and its predecessor SSL, which stands for Secure Sockets Layer, is Web protocols used T o Wrap normal traffic in a protected, encrypted wrapper.

Using This technology, servers can send traffic safely between the server and the client without the concern, the mess Ages'll is intercepted and read by a outside party. The certificate system also assists users in verifying the identity of the sites that they is connecting with.

In the This guide, we'll show you how to set up a self-signed SSL certificate for use with an Nginx Web server on an Ubuntu 14.04 server. A self-signed certificate won't validate the identity of your server for your users since it's not signed by one of th EIR Web browser ' s trusted certificate authorities, but it 'll allow the Encrypt communications with your web Clients.

Prerequisites

To get started on the This guide, you'll need to set up some basic things on your server.

You should had a non-root user available who had sudo privileges. Can learn how to set up such a user account by following steps 1-4 in our initial server setup for Ubuntu 14.04.

After this, you'll also need to the Nginx Web server installed. If you would a entire LEMP (Linux, Nginx, MySQL, PHP) stack on your server, you can follow we guide on s Etting up LEMP on Ubuntu 14.04.

If you just want the Nginx Web server, you can instead just type:

sudo apt-get updatesudo apt-get install nginx

Step One-create the SSL Certificate

We can start off by creating a directory, that'll be the used to the all of our SSL information. We should create this under the Nginx configuration directory:

sudo mkdir /etc/nginx/ssl

Now, we had a location to place our files, we can create the SSL key and certificate files in one motion by typing:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt

You'll be asked a series of questions. Before we go over this, let's take a look at what's happening in the command we're issuing:

• Openssl:this is the basic command line tool for creating and managing OpenSSL certificates, keys, and other files.
• Req:this subcommand Specifies that we want to use the certificate signing request (CSR) management. The "infrastructure" is a public key, which is SSL and TLS adheres-to-its key and certificate management. We want to create a new-cert, so we is using this subcommand.
• -x509:this further modifies the previous subcommand by telling the utility so we want to make a self-signed certificate Instead of generating a certificate signing request, as would normally happen.
• -nodes:this tells OpenSSL to skip the option to secure our certificate with a passphrase. We need Nginx to is able to read the file, without user intervention, when the server starts up. A passphrase would prevent this from happening because we would has to enter it after every restart.
• -days 365:this Option sets the length of time that the certificate would be considered valid. We set it for one year here.
• -newkey rsa:2048:this Specifies, we want to generate a new certificate and a new key at the same time. We did not create the key which is required to sign the certificate in a previous step, so we need to create it along with The certificate. The rsa:2048 portion tells it to make a RSA key is 2048 bits long.
• -keyout:this Line tells OpenSSL, where to place the generated private key file, we are creating.
• -out:this tells OpenSSL where to place the certificate, we are creating.

As we stated above, these options would create both a key file and a certificate. We'll be asked a few questions on our servers in order to embed the information correctly in the certificate.

Fill out the prompts appropriately. The most important line is the one and that requests Common Name (e.g. server FQDN or YOUR name) . You need to enter the domain name, which you want to is associated with your server. You can enter the public IP address instead if you don't have a domain name.

The entirety of the prompts would look for something like this:

Country name (2 letter code) [AU]:usstate or province name (full name) [Some-state]:New yorklocality name (eg, CIT y) []:New York cityorganization Name (eg, company) [Internet widgits Pty LTD]:bouncy Castles, inc.organizational U NIT name (eg, section) []:Ministry of Water Slidescommon name (e.g. server FQDN or YOUR name) []:Your_domain.comem Ail Address []:[email protected]_domain.com      

Both of the files you created is placed in the /etc/nginx/ssl directory.

Step two-configure Nginx to use SSL

We have created our key and certificate files under the Nginx configuration directory. Now we just need to modify we have Nginx configuration to take advantage of these by adjusting our server block files. You can learn more on Nginx server blocks in this article.

Nginx versions 0.7.14 and above (Ubuntu 14.04 ships with version 1.4.6) can enable SSL within the same server block as Reg Ular HTTP traffic. This allows us to configure access to the same site in a much more succinct manner.

Your server block something like this:

server {        listen default_server;        Listen [::]:80 default_server ipv6only=on;        root/usr/share/nginx/html;        Index index.html index.htm;        server_name your_domain.com;        Location/{                try_files $uri $uri/=404;        }}

The only thing we would need to do-get SSL working on this same server block, while still allowing regular HTTP connect Ions, is add a these lines:

server {        listen default_server;        Listen [::]:80 default_server ipv6only=on;        listen 443 SSL;        root/usr/share/nginx/html;        Index index.html index.htm;        your_domain.com;        ssl_certificate/etc/nginx/ssl/nginx.crt;        Ssl_certificate_key/etc/nginx/ssl/nginx.key;        Location/{                try_files $uri $uri/=404;        }}   

When you are finished, save and close the file.

Now, any of the restart to be your new settings:

sudo service nginx restart

This should reload your site configuration, now allowing it to respond to both HTTP and HTTPS (SSL) requests.

Step Three-test your Setup

Your site should now has SSL functionality, but we should test it to make sure.

First, let's test to make sure we can still access the site with using normal HTTP. In your Web browser, go to your server ' s domain name or IP address:

HTTP/server_domain_or_ip

You should see your normal website. In my example, I ' m just serving the default Nginx page:

If you get the This page, then your server is still handling HTTP requests correctly.

Now, we can check the whether our server can with SSL to communicate. Do this by specifying the https protocol instead of the http protocol.

https://server_domain_or_ip

You'll likely get a warning in your web browser that looks something like this:

This is expected. It is telling your it cannot verify the identity of the server you are trying to connect to because it isn ' t signed by A certificate authority that the browser have been configured to trust. Since We created a self-signed certificate, this makes perfect sense.

Click on "Proceed anyway", "Continue", or whatever similar option is available. You should see your site again:

Your browser may show the ' https ' crossed out of the address bar or a broken or crossed out "lock" icon. If you click on the lock icon, you can see some more information about the connection:

As you can see, the issue are only so the browser cannot verify the identity of the server because it isn ' t signed by a C Ertificate authority that it's configured to trust. The middle section shows the connection are encrypted, however, so we had achieved that goal.

Conclusion

You have the configured your Nginx server to handle both HTTP and SSL requests. This would help you communicate with clients securely and avoid outside parties from being able to read your traffic.

If you is planning on using SSL for a public website, you should probably purchase an SSL certificate from a trusted Cert Ificate authority to prevent the scary warnings from being shown to each of your visitors.

Create an SSL certificate on Ubuntu