## Table of Contents
– [Creating the SSL Certificate](#creating-the-ssl-certificate
– [Configuring Nginx to Use SSL](#configuring-nginx-to-use-ssl
– [Arranging Snippet Pointing to the SSL Key and Certificate](#arranging-snippet-pointing-to-the-ssl-key-and-certificate
– [Arranging Snippet With Strong Encryption Settings](#arranging-snippet-with-strong-encryption-settings
– [Arrange the Nginx Configuration to Run SSL](#arrange-the-nginx-configuration-to-run-ssl
– [Arranging the Firewall](#arranging-the-firewall
– [Enable the Changes in Nginx](#enable-the-changes-in-nginx
– [Testing SSL Certification Secure / Unsecured](#testing-ssl-certification-secure-unsecured
SSL (secure sockets layer which followed by TLS or transport layer security is a standard security technology which is to establish an encrypted link between a web server and a browser. After making a secure connection the transmitted data will be encrypted using a session key, by itself, browser requests server identify then the server sends its SSL certificate, including with server public key.
Now following on we going to discuss how to fabricate(create SSL certification by using Nginx on ubuntu 18.04 server.
You should have access to an Ubuntu 18.04 server and created a non-root user account with sudo privileges by following our guide, [Initial server setup with Ubuntu 18.04](https://systemongrid.com/support/guides/how-to-do-initial-server-setup-with-ubuntu-18.04.
You should have installed Nginx by following our guide, [install Nginx web server on Ubuntu 18.04](https://systemongrid.com/support/guides/how-to-install-nginx-on-ubuntu-18.04.
## Creating the SSL Certificate
SSL works is a combination of public key and private key at server point, And here SSL certificate kept as a secret because it helps to encrypt the data sent to the client. SSL certificate is freely shared with the public to request data and also decrypt the data signed by the related SSL key.
If you want to do some modifications at configuration file to get upgrade levels. To generate a self-signed key and certificate pair with OpenSSL with single command:
$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
By executing the command it has some questions to build server in order to place the information properly in the certificate.
Both files you created will be placed in subdirectories of the /etc/ssl directory.
When we using OpenSSL, externally we create a strong Diffie-Hellman group, which recommends using in negotiating perfect forward secrecy with clients.
$ sudo openssl dhparam -out /etc/nginx/dhparam.pem 4096
When you execute the above command it took some time to get a process strong DH group at /etc/Nginx/dhparam.pem.
## Configuring Nginx to Use SSL
Finally, we created an SSL certificate by using /etc/ssl directory.
### By considering our key and certificate file locations we need to generate configuration snippet.
### By considering strong SSL settings, we can use any certificates for the next generations.
### By using two snippets we can handle SSL requests using nginx blocks.
The above configuration method of Nginx will permit to delete blocks and for reusable configuration purpose, it keeps similar configuration segments.
## Arranging Snippet Pointing to the SSL Key and Certificate
let’s create a new Nginx arrangement snippet in the /etc/nginx/snippets directory.
To properly distinguish of a file, let’s call:
$ sudo nano /etc/nginx/snippets/self-signed.conf
Where executing the above command you need to set the given at bottom two line place into that SSL certificate.
When you place those lines at the editor save the file and terminate it.
## Arranging Snippet With Strong Encryption Settings
Here we generate another snippet which explains some SSL settings. which secure nginx with a strong SSL chipper suite and also enable with advanced settings apart that our server also secure.
$ sudo nano /etc/nginx/snippets/ssl-params.conf
For our secure purpose, we place provided settings throughout to do some modifications.
### The first step we need to add required DNS resolver for an opposite request, For that you may search on google.
### Second step here we place the comment line which fit for strict transport security header, before uncommenting those lines read on HTTP Strict Transport Security, or HSTS,
Insert the below lines into your ssl-params.configration snippet file:
Finally, save and terminate the file.
## Arrange the Nginx Configuration to Run SSL
Already we have our snippets for that, we can fix nginx configuration to enable SSL certificate.
In particular, this content you are using custom server block /etc/nginx/sites-available directory. We will use /etc/nginx/sites-available/example
$ sudo cp /etc/nginx/sites-available/example.com /etc/nginx/sites-available/example.com.bak
Now, we do some changes at the configuration file :
$ sudo nano /etc/nginx/sites-available/example.com
Note: Here the file should be in a different order in place of root and index directives, are in some other locations proxy pass and that will be ok. Here we need to modify listen to directives on port 443.
Insert a second server block into the configuration file, after the closed bracket of the previous command.
At finally listens come on to port 80 to execute the redirects of HTTPS. After completion of editing save the file.
## Arranging the Firewall
If in case you have a ufw firewall enabled then you need to arrange the settings to allow for accessing SSL traffic.
Let see the profiles editing at a terminal:
$ sudo ufw app list
To check the current setting by typing :
$ sudo ufw status
The output display only HTTP traffic server to access the web server.
In advance HTTPS traffic, we can access the Nginx full profile and then delete the previous “Nginx HTTP” profile allowance:
$ sudo ufw allow ‘Nginx Full’
$ sudo ufw delete allow ‘Nginx HTTP’
$ sudo ufw status
## Enable the Changes in Nginx
We make some changes to arrange our firewall, for the new setting we can restart nginx. Before that, we need to check any syntax error at our files. For that, we need to type
$ sudo nginx -t
If the output same as the above, the configuration file has no syntax errors. Now We can restart Nginx to update our changes:
$ sudo systemctl restart nginx
## Testing SSL Certification Secure / Unsecured
Now, its time to check SSL server.
Insert https:// followed by your server domain name or IP address in the web browser.
Finally, you have arranged your nginx server to make a connection with clients for strong encryptions.