Save the following configurations at openssl.cnf
[ req ]
default_bits = 2048
default_keyfile = self-signed.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_req
prompt = no
[ req_distinguished_name ]
C = PL
ST = Lower Silesia
L = Wroclaw
O = PWr
OU = INA
CN = containers.lo
emailAddress = [email protected]
[ req_ext ]
subjectAltName = @alt_names
[ v3_req ]
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = containers.lo
DNS.2 = www.containers.loRun the following command
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout self-signed.key -out self-signed.crt \
-config openssl.cnfExplanation: We create x509 certificate for 365 days using a 2048bit RSA key
and save it to a pair of files self-signed.key and self-signed.crt
Enable listening on SSL port
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name containers.lo;
ssl_certificate /etc/nginx/ssl/self-signed.crt;
ssl_certificate_key /etc/nginx/ssl/self-signed.key;
... proceed with location(s) as usual
}We can enforce various SSL parameters such as:
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;