Generating SSL Certificates with OpenSSL and Configuring Nginx for HTTPS

This article demonstrates three methods for creating SSL certificates with OpenSSL and provides an Nginx configuration example to enable HTTPS.

Method 1 – Direct self‑signed certificate

Generate a 1024‑bit RSA private key:

openssl genrsa -out server.key 1024

Then create a self‑signed certificate with required subject information:

openssl req -new -x509 -days 3650 -key server.key -out server.crt -subj "/C=CN/ST=mykey/L=mykey/O=mykey/OU=mykey/CN=domain1/CN=domain2/CN=domain3"

Method 2 – CSR‑based signing (supports wildcard)

Generate the private key (same as above) and then create a certificate signing request (CSR):

openssl req -new -key server.key -out server.csr

After filling the prompted information (e.g., *.aa.com for a wildcard), sign the CSR with the private key to obtain the certificate:

openssl x509 -req -in server.csr -out server.crt -signkey server.key -days 3650

Method 3 – One‑step certificate generation

For a quick certificate without extra parameters, run:

openssl req -new -x509 -keyout server.key -out server.crt -config openssl.cnf

This method is recommended when other options are not needed.

Nginx HTTPS configuration

Insert the following snippet into nginx.conf (adjust paths and domain as required):

# HTTPS server
server {
    listen 8080 ssl; # port
    server_name aaa.com;
    ssl on;
    ssl_certificate /usr/local/nginx/ssl/ssl.pem;
    ssl_certificate_key /usr/local/nginx/ssl/ssl.key;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout 5m;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    location / {
        proxy_pass http://backend-domain:8080/;
    }
}

Note that self‑generated certificates work within an internal network but are not trusted on the public internet.