generate-proper-selfsigned-certs

make-cert.sh

#!/bin/bash


declare -A CNS=(
 [domain]=cert_file_name
)


KEY_PATH=/etc/ssl/private
CERT_PATH=/etc/ssl/certs




for key in ${!CNS[@]}; do
 _EXT="subjectAltName = DNS:${key}"
 [[ -f "${KEY_PATH}/${CNS[${key}]}.key" ]] && { echo "Skipping, key for ${key} exits..."; continue; }
  echo -n "Generating key for '${key}..'"
  openssl req -x509 -nodes -days 365 -newkey rsa:2048 -subj "/CN=${key}" --addext "${_EXT}" -keyout ${KEY_PATH}/${CNS[${key}]}.key -out ${CERT_PATH}/${CNS[${key}]}.crt 1>/dev/null 2>/dev/null
  [[ $? -eq 0 ]] && echo "ok" || echo "fail"
done

# generate dhparam if needed
# openssl dhparam -out dhparam.pem 2048

nginx.conf

server {
  listen 443 ssl http2;

 include self-signed.conf;
 include ssl-params.conf;
}

self-signed.conf

ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

ssl-params.conf

ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout  10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver_timeout 5s;
# Disable strict transport security for now. You can uncomment the following
# line if you understand the implications.
# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
#add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";