Lets' start generatig a server certificate and a private server key.
One single command to generate certificate
Create a directory to store our certificate, in my case I’ll put the files in /etc/nginx/ssl.
Request a new certificate -x509 with a new key -newkey store in the file -keyout with no passphrase -nodes with using rsa encryption and a lenght of 2048 bit fot the key and finally store the certificate in the cert.pem file
openssl req -new -x509 -newkey rsa:2048 -keyout server.key -nodes -out cert.crt
Finally move the two generated files in the directory /etn/nginx/ssl.
Make sure that the CN matched with the FQDN of the server.
Common Name or CN is used to define the server name which will be used for secure SSL connection.
When a client tries to connect to a web server it first retrieves the server certificate and then matches the domain name/host name with a CN written in the certificate. If they do not match SSL/TLS is granted but with warning about identity.
Modify Virutal Host config file
We must add only few lines to the configuration file in stored in /etc/nginx/sites-available/:
listen 443 ssl; and the reference to the key and certificate on the serverssl_certificate and ssl_certificate_key
server {
listen 80 default_server;
listen 443 ssl;
server_name _;
root /usr/share/nginx/html;
ssl_certificate /etc/nginx/ssl/cert.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
}
restart the service and test
systemctl restart nginx