Dec 02, 2019 4:40 PM Feb 03, 2020 3:10 PM

Adding a trusted self-signed SSL certificate to Nginx on Debian/Ubuntu

In this article I will explain how to add a trusted self-signed SSL certificate to the Nginx server on the Debian/Ubuntu operating system. I always use the HTTPS protocol for the local development environment. But I was always annoyed that the browser does not trust the self-signed SSL certificate and displays a notification about it. Several times I tried to figure this out. I tried different instructions, but none of them solved my problem. And then one day I decided to deal with this problem in detail and finally solve it. I hope this instruction helps you too.

At some point, I again had errors in browsers: NET::ERR_CERT_AUTHORITY_INVALID (Google Chrome), MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT (Firefox). And again I had to figure out how to solve this problem. I wrote a new article on how to add a trusted SSL certificate for the local environment in Nginx on Debian/Ubuntu. This time we will use the root certification authority (CA).

This instruction was executed on operating systems: Debian 10, Debian 9, Ubuntu 20.10, Ubuntu 20.04, Ubuntu 19.10.

Creating an OpenSSL configuration

Let's start with this important section. We need to create a configuration file for OpenSSL by running the command in the terminal:

nano /tmp/openssl.cnf

Copy and paste the following prepared configuration into a new file, where DNS.1 is the name of your server (specify DNS.2 if you need support for subdomains):

default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
x509_extensions = v3_ca # The extensions to add to the self-signed cert

countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = New York
localityName = Locality Name (eg, city)
localityName_default = Rochester
organizationName = Organization Name (eg, company)
organizationName_default = Localhost CA
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Development
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = localhost
commonName_max = 64

subjectAltName = @alt_names

DNS.1 = localhost
# Support subdomains
#DNS.2 = *.domain.local

Save the changes and close the file.

Creating a trusted self-signed SSL certificate

Now let's create a self-signed SSL certificate with a private key using our configuration file:

sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/localhost.key -out /etc/ssl/certs/localhost.crt -config /tmp/openssl.cnf


In the process of generating the certificate, several questions will be asked. You can skip them:

Creating a trusted self-signed SSL certificate

Configuring Nginx to use SSL

Let's enable SSL in the Nginx server configuration. We will specify listening on port 443 (HTTPS) and the path to the certificate and private key files. Edit the server configuration file /etc/nginx/sites-available/default:

sudo nano /etc/nginx/sites-available/default
server {
	listen 80 default_server;
	listen [::]:80 default_server;

	listen 443 ssl default_server;
	listen [::]:443 ssl default_server;

	ssl_certificate /etc/ssl/certs/localhost.crt;
	ssl_certificate_key /etc/ssl/private/localhost.key;

	root /var/www/html;
	index index.html index.htm index.nginx-debian.html;

	server_name _;

	location / {
		try_files $uri $uri/ =404;

Save the changes and close the file. Check the configuration for validity by running the command in the terminal:

sudo nginx -t

Now apply the configuration changes by running the command in the terminal:

sudo service nginx reload

Installing certutil utility

Now we need to add the generated SSL certificate to the database that the browser uses. The certutil utility, which is part of the libnss3-tools package, is used to manage this database. If you do not have this package in the system, then install it.

Before any software installation, it is recommended to update the list of repository packages by running the command in the terminal:

sudo apt-get update

Install the libnss3-tools package by running the command in the terminal:

sudo apt-get install libnss3-tools

Adding a certificate to the database

Let's add the generated SSL certificate to the database using the certutil utility by running the command in the terminal:

certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n localhost.crt -i /etc/ssl/certs/localhost.crt

This instruction has been tested on browsers: Google Chrome and Opera.

The Firefox browser does not want to trust the certificate, it uses the cert8.db database, which I edited as follows:
certutil -d sql:$HOME/.mozilla/firefox/xqck5xx8.default -A -t "P,," -n localhost.crt -i /etc/ssl/certs/localhost.crt

Encryption testing

In order for the browser to read the updated certificate database, you need to restart your browser (close and reopen).

Let's check that our Nginx server is accessible via the HTTPS protocol by entering the following address in the browser:


If you did everything correctly, you will see that the browser has begun to trust your self-signed certificate. Your connection will now be encrypted using the HTTPS protocol without displaying a warning about an insecure connection:

Nginx welcome page with trusted SSL

Other articles