Howto: generate multi-domain self-signed certificates (and use with nginx)
Intro
Often it is required to generate self-signed certificates to be used during development, this is a way to do it on a Linux machine (WSL is good too).
NOTE: Do NOT use such certificates in production - such certificates are not trusted by browsers.
Step 1: Copy conf template
cd ~
cp /usr/lib/ssl/openssl.cnf .
Step 2: Edit the conf file adding domains
Edit the file above, insert the following line immediately BEFORE the “HOME” entry:
SAN="email:your-email@domain.com"
Add the following line immediately AFTER the [v3_req] and [v3_ca] section markers:
(add as much domains as needed)
subjectAltName=DNS:sub1.domain.com,DNS:sub2.domain.com
Step 3: Generate the certificate
openssl req -new -x509 -sha256 -days 365 -nodes -out cert.pem -keyout cert_key.pem -config openssl.cnf
To view the cert:
openssl x509 -in cert.pem -noout -text
Use certificate in Nginx
In step 3 we generated 2 files, cert.pem and cert_key.pem, copy them to where you like having your certificates, /etc/nginx/ssl is a good place.
Next we'll use these files in our nginx config.
Edit the nginx conf file (usually /etc/nginx/nginx.conf but it really depends on your setup).
Find the server section and add the ssl conf:
server {
server_name: domain.com;
listen 80;
# SSL
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/cert_key.pem;
}
Add to "trusted certificates" on Windows
If you'll try to browse to a site using that certificate Chrome will give error as the certificate is not trusted.
In order to "trust" this certificate:
- Using chrome, browse to some site that is using the certificate
- Click on "View Certificate"
- Click on "Copy to File..." and save the certificate as a ".der" file
- open Windows "Manage User Certificates" settings
- Right-click on "Trusted Root Certification Authoroties/Certificates" -> All Tasks -> Import
- select the saved certificate from above
- restart chrome
Top comments (0)