How to Generate Self‑Signed HTTPS Certificates and Configure Nginx in Docker

HTTPS Overview

HTTPS adds encryption and server authentication to HTTP using SSL/TLS. The client and server negotiate a secure channel before any application data is exchanged.

Typical TLS Handshake

Client connects to the server on TCP port 443 and sends a ClientHello.

Server replies with ServerHello, its X.509 certificate (containing the public key) and optionally a ServerKeyExchange.

Client validates the certificate chain, extracts the server’s public key, generates a random pre‑master secret, encrypts it with the server’s public key and sends it to the server.

Both sides derive the same symmetric session keys from the pre‑master secret.

Application data is then encrypted with the symmetric keys (e.g., AES‑GCM) for the remainder of the connection.

Creating a Self‑Signed Certificate with OpenSSL

Verify OpenSSL Installation

openssl version -a

Generate a Private RSA Key (2048‑bit)

openssl genrsa -des3 -out server.key 2048

The -des3 option encrypts the key with a passphrase.

Remove the Passphrase (optional for automated servers)

openssl rsa -in server.key -out server.key

Create a Certificate Signing Request (CSR)

openssl req -new -key server.key -out server.csr

During the interactive prompts supply the required DN fields (C, ST, L, O, OU, CN, email). The result is server.csr.

Generate a Self‑Signed Root Certificate (valid 10 years)

openssl req -new -x509 -key server.key -out ca.crt -days 3650

This creates ca.crt, a self‑signed CA certificate.

Sign the Server CSR with the Root CA

openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey server.key -CAcreateserial -out server.crt

The command produces ca.srl (serial number file) and server.crt. At this point you have: server.key – private key server.csr – certificate request ca.crt – self‑signed CA certificate server.crt – server certificate signed by the CA

Deploying Nginx with Docker and Enabling HTTPS

Pull the Official Nginx Image

docker pull nginx

Run a Container Exposing HTTP (8080) and HTTPS (443)

docker run --name nginx -p 8080:80 -p 443:443 -d nginx

The container ID (e.g., c38536903a8d) is needed for subsequent docker cp commands.

Copy the Generated Certificate and Key into the Container

docker cp server.key <container_id>:/etc/nginx/

docker cp server.crt <container_id>:/etc/nginx/

Export the Default Nginx Configuration, Edit It, and Re‑import

docker cp <container_id>:/etc/nginx/nginx.conf .

Add an SSL server block (or modify an existing one) as follows:

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    keepalive_timeout  65;

    include /etc/nginx/conf.d/*.conf;

    server {
        listen 443 ssl;
        server_name 42.192.20.119;  # replace with your IP or domain
        ssl_certificate     /etc/nginx/server.crt;
        ssl_certificate_key /etc/nginx/server.key;

        location / {
            root   /usr/share/nginx/html;
            index  index.html;
        }
    }
}

Copy the Modified Configuration Back into the Container

docker cp nginx.conf <container_id>:/etc/nginx/

Restart Nginx to Apply the Changes

docker restart <container_id>

After the restart, accessing https://<your‑ip>:443 will present the site secured with the self‑signed certificate.