Debian : Create Certificate Authority(CA) with OpenSSL for Nginx Web Server

Generate new CA

make directory for CA, example in /root/CA or home directory for root user

mkdir -p /root/CA
cd /root/CA

example name : rootCA.key

openssl genrsa -des3 -out rootCA.key 2048

Generate new CA Certificate

openssl req -x509 -nodes -new -key rootCA.key -days 365 -sha256 -out rootCA.pem

Convert .pem to .p7b if client is windows

openssl crl2pkcs7 -nocrl -certfile rootCA.pem -out rootCA.p7b


Generate New Private Key for Web

example domain :

openssl genrsa -out 2048

Generate CSR for Signing Request to CA

openssl req -new -key -out

FQDN must be the domain : or

Signing Certificate

openssl x509 -req -in -CAkey rootCA.key -CAcreateserial -out -days 365 -sha256

Nginx Setup

cd /etc/nginx/sites-available && nano default

Uncomment # listen 443 ssl and add below

 ssl_certificate /root/CA/;
 ssl_certificate_key /root/CA/;
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Save and check configuration

nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Restart Nginx

service nginx restart



1.Download or copy rootCA.p7b from server

2. Open Manage computer certificates -> Trusted Root Certification Authorities -> Certificates

3. Right Click -> All Task -> Import -> Insert file rootCA.p7b -> Next -> Finish


for Linux Client add CA file rootCA.pem in Browser

Leave a Comment