BestHub
Sign in
Information Security 5 min read

Create a Self‑Signed SSL Certificate with OpenSSL and Secure Nginx Intranet Access

This guide walks through installing OpenSSL, generating a self‑signed SSL key and certificate for an internal IP address, configuring Nginx to use the certificate, and importing the certificate into Chrome and Firefox, including necessary extensions to avoid common name errors.

MaGe Linux Operations
MaGe Linux Operations
MaGe Linux Operations
Create a Self‑Signed SSL Certificate with OpenSSL and Secure Nginx Intranet Access

Requirement: internal network access via IP must use HTTPS without insecure warnings.

OpenSSL Self‑Signed Certificate

Install OpenSSL:

yum install openssl openssl-devel -y
mkdir -pv /etc/ssl/private

Generate key and CSR:

cd /etc/ssl/private/
openssl req -new -newkey rsa:2048 -sha256 -nodes -out 192.168.199.104.csr -keyout 192.168.199.104.key -subj "/C=CN/ST=Beijing/L=Beijing/O=Super Inc./OU=Web Security/CN=192.168.199.104"
openssl x509 -req -days 365 -in 192.168.199.104.csr -signkey 192.168.199.104.key -out 192.168.199.104.crt

Configure Nginx for SSL

Update Nginx configuration to use the generated certificate and key (see image).

nginx -t
nginx -s reload

Import the certificate into Chrome:

Copy 192.168.199.104.crt to Windows and import via Chrome → Settings → Privacy and security → Manage certificates → Import.

Firefox import steps are similar (illustrated in the image).

Chrome may still show “NET::ERR_CERT_COMMON_NAME_INVALID”. To fix, delete the previously imported certificate and add an extension file http.ext with the following content:

keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @SubjectAlternativeName

[SubjectAlternativeName]
IP.1 = 127.0.0.1
IP.2 = 192.168.199.104

Regenerate the certificate using the extension:

openssl req -new -newkey rsa:2048 -sha256 -nodes -out 192.168.199.104.csr -keyout 192.168.199.104.key -subj "/C=CN/ST=Beijing/L=Beijing/O=Super Inc./OU=Web Security/CN=192.168.199.104"
openssl x509 -req -days 365 -in 192.168.199.104.csr -signkey 192.168.199.104.key -out 192.168.199.104.crt -extfile http.ext

After reloading Nginx and clearing Chrome’s cache, import the new .crt file again; the insecure warning disappears.

Summary

Chrome requires an additional extension file with proper key usage and Subject Alternative Name entries.

Two commands generate the self‑signed certificate.

Import the .crt into Chrome’s trusted root certificate store.

Reload Nginx and clear browser cache before testing.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

NGINXOpenSSLSSLself-signed certificate
MaGe Linux Operations
Written by

MaGe Linux Operations

Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment