Personal SSL guide for nginx
listen 443 ssl;
ssl_certificate /etc/ssl/certs/example.com.crt;
ssl_certificate_key /etc/ssl/private/example.com.key;It's best to generate a fitting one using: https://ssl-config.mozilla.org
openssl genrsa -out my.key 2048Use -batch to ignore csr options, since sites like digicert rewrite these anyway.
openssl req -new -key my.key -out my.csr -batchSimply put in the new or old csr and generate duplicate.
This can help make certain that you're using the right one.
openssl req -noout -modulus -in server.csr | openssl md5
openssl rsa -noout -modulus -in server.key | openssl md5
openssl x509 -noout -modulus -in server.pem | openssl md5openssl x509 -in my.pem -textExample paths used below.
CAkey=/etc/ssl/private/myCA.key
CApem=/etc/ssl/certs/myCA.pem
key=/etc/ssl/private/example.com.key
csr=/etc/ssl/certs/example.com.csr
crt=/etc/ssl/certs/example.com.crt
ext=/etc/ssl/certs/example.com.extopenssl genrsa -out $CAkey 2048
openssl req -x509 -new -nodes -key $CAkey -sha256 -days 825 -out $CApem -subj "/CN=myCA" -batchtrust anchor $CApemtrust anchor --remove $CApemopenssl genrsa -out $key 2048openssl req -new -key $key -out $csr -subj "/CN=example.com" -batchauthorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = example.com
DNS.2 = www.example.com
DNS.3 = test.example.com
DNS.4 = localhost
DNS.5 = localhost.localdomain
IP.1 = 127.0.0.1
IP.2 = ::1openssl x509 -req -in $csr -CA $CApem -CAkey $CAkey -CAcreateserial -out $crt -days 825 -sha256 -extfile $extopenssl verify -CAfile $CApem -verify_hostname example.com $crt
openssl verify -CAfile $CApem -verify_hostname www.example.com $crt
openssl verify -CAfile $CApem -verify_hostname test.example.com $crt
openssl verify -CAfile $CApem -verify_hostname localhost $crt