Feb 03, 2020 2:20 PM

Adding a trusted SSL certificate for the local environment in Nginx on Debian/Ubuntu (using root CA)

In this article I will explain how to add a trusted SSL certificate for the local development environment to the Nginx server on the Debian/Ubuntu operating system. I always use the HTTPS protocol for the local development environment. But the browser displays a notification that it does not trust the self-signed SSL certificate. I already wrote an article on how to add a trusted self-signed SSL certificate to Nginx on Debian/Ubuntu, but this solution does not always work. At some point, I again had errors in browsers: NET::ERR_CERT_AUTHORITY_INVALID (Google Chrome), MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT (Firefox). Perhaps after the system update some changes occurred. And again I had to figure out how to solve this problem. This time we will use the root certification authority (CA). I hope this improved instruction helps you too.

This instruction was executed on operating systems: Debian 10, Debian 9, Ubuntu 20.10, Ubuntu 20.04, Ubuntu 19.10.

Creating an OpenSSL configuration

Let's start with this important section. We need to create a configuration file for OpenSSL by running the command in the terminal:

nano /tmp/openssl.cnf

Copy and paste the following prepared configuration into a new file, where DNS.1 is the name of your server (specify DNS.2 if you need support for subdomains):

[req]
default_bits = 2048
distinguished_name = req_distinguished_name
prompt = no

[req_distinguished_name]
C = US
ST = New York
L = Rochester
O = Localhost CA
OU = Development
CN = localhost

[v3_ca]
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
# Support subdomains
#DNS.2 = *.domain.local

Save the changes and close the file.

Creating a root certification authority (CA)

We will use the root certificate authority (CA) to create all the SSL certificates. But first, we need to create a root certificate. Let's create a private key rootCA.key by running the command in the terminal:

sudo openssl genrsa -out /etc/ssl/private/rootCA.key 2048

or using a passphrase

sudo openssl genrsa -des3 -out /etc/ssl/private/rootCA.key 2048

Now let's create the rootCA.pem certificate file using the private key rootCA.key by running the command in the terminal:

sudo openssl req -x509 -new -nodes -key /etc/ssl/private/rootCA.key -sha256 -days 3650 -out /etc/ssl/certs/rootCA.pem

In the process of generating the certificate, several questions will be asked. You can skip them:

Creating a root certification authority

Creating SSL certificates

It is already possible to create new certificates using the root certificate rootCA.pem. But first, we need to create a private key and a key (CSR) to request a signature by running the command in the terminal:

sudo openssl req -new -sha256 -nodes -newkey rsa:2048 -keyout /etc/ssl/private/localhost.key -out /etc/ssl/private/localhost.csr -config /tmp/openssl.cnf

Now we will create our certificate file using the root certification authority that we created earlier by running the command in the terminal:

sudo openssl x509 -req -in /etc/ssl/private/localhost.csr -CA /etc/ssl/certs/rootCA.pem -CAkey /etc/ssl/private/rootCA.key -CAcreateserial -out /etc/ssl/certs/localhost.crt -sha256 -days 3650 -extfile /tmp/openssl.cnf -extensions v3_ca

Creating SSL certificates

Configuring Nginx to use SSL

Let's enable SSL in the Nginx server configuration. We will specify listening on port 443 (HTTPS) and the path to the certificate and private key files. Edit the server configuration file /etc/nginx/sites-available/default:

sudo nano /etc/nginx/sites-available/default
server {
	listen 80 default_server;
	listen [::]:80 default_server;

	listen 443 ssl default_server;
	listen [::]:443 ssl default_server;

	ssl_certificate /etc/ssl/certs/localhost.crt;
	ssl_certificate_key /etc/ssl/private/localhost.key;

	root /var/www/html;
	index index.html index.htm index.nginx-debian.html;

	server_name _;

	location / {
		try_files $uri $uri/ =404;
	}
}

Save the changes and close the file. Check the configuration for validity by running the command in the terminal:

sudo nginx -t

Now apply the configuration changes by running the command in the terminal:

sudo service nginx reload

Adding a certification authority to the browser

For the browser to trust the created certificates, you must add your root certification authority rootCA.pem to the list of trusted certification authorities of the browser:

Adding a certification authority to the browser

Select root certification authority rootCA.pem

Set all trust settings for root certification authority rootCA.pem

The certification authority will be called as "Internet Widgits Pty Ltd". If you want to edit trust settings or delete a CA, search by this name.

Encryption testing

Let's check that our Nginx server is accessible via the HTTPS protocol by entering the following address in the browser:

https://localhost

If you did everything correctly, you will see that the browser has begun to trust your SSL certificate. Your connection will now be encrypted using the HTTPS protocol without displaying a warning about an insecure connection:

Nginx welcome page with trusted SSL

Other articles