Debian : Create Certificate Authority(CA) with OpenSSL for Nginx Web Server

Generate new CA

make directory for CA, example in /root/CA or home directory for root user

mkdir -p /root/CA
cd /root/CA

example name : rootCA.key

openssl genrsa -des3 -out rootCA.key 2048

Generate new CA Certificate

openssl req -x509 -nodes -new -key rootCA.key -days 365 -sha256 -out rootCA.pem

Convert .pem to .p7b if client is windows

openssl crl2pkcs7 -nocrl -certfile rootCA.pem -out rootCA.p7b

Success!!

Generate New Private Key for Web

example domain : dika.id

openssl genrsa -out dika.id.key 2048

Generate CSR for Signing Request to CA

openssl req -new -key dika.id.key -out dika.id.csr

FQDN must be the domain : dika.id or www.dika.id

Signing Certificate

openssl x509 -req -in dika.id.csr -CAkey rootCA.key -CAcreateserial -out dika.id.crt -days 365 -sha256

Nginx Setup

cd /etc/nginx/sites-available && nano default

Uncomment # listen 443 ssl and add below

 ssl_certificate /root/CA/dika.id.crt;
 ssl_certificate_key /root/CA/dika.id.key;
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Save and check configuration

nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Restart Nginx

service nginx restart

Client

Windows

1.Download or copy rootCA.p7b from server

2. Open Manage computer certificates -> Trusted Root Certification Authorities -> Certificates

3. Right Click -> All Task -> Import -> Insert file rootCA.p7b -> Next -> Finish

Done

for Linux Client add CA file rootCA.pem in Browser

Leave a Reply

Your email address will not be published. Required fields are marked *