Create ssl certificate, and install it using certutil

Quote from Nginx SSL document
4 steps for creating your own ssl certificate.

  1. Create the server private key
  2. openssl genrsa -des3 -out hans.key 4096
  3. Create the Certificate Signing Request Note: this *.csr is just certificate request file
  4. openssl req -new -key hans.key -out hans.csr
  5. Remove the necessity of entering a passphrase for starting up nginx with SSL using the above private key
  6. cp hans.key && openssl rsa -in -out hans.key
  7. Finally sign the certificate using the above private key and CSR
  8. openssl x509 -req -days 365 -in hans.csr -signkey hans.key -out hans.crt

Next thing is to deploy it on your nginx server using the newly signed certificate and private key.

server {
    server_name YOUR_DOMAINNAME_HERE;
    listen 443;
    ssl on;
    ssl_certificate /(nginx conf dire)/hans.crt;        #Signed Certificate
    ssl_certificate_key /(nginx conf dire)/hans.key;    #Private Key

Finally import the certificate, and install it on your local machine. (Only for chrome, firefox install it on its own.)
This would need package libnss3-tools, which contains certutil to do the job of Adding self-signed certficates.
Either use firefox to export the certificate, or use the previous *.crt file, but *.crt file need to be renamed to *.pem.

  • To insert a certificate record:
  • certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "(the irrelevant name to identify this cert)" -i hans.pem
  • To show all the certificate added on your local machine:
  • certutil -L -d sql:$HOME/.pki/nssdb
  • To delete one particular certificate based on its name:
  • certutil -D -n (the corresponding name for certificate to be deleted) -d sql:$HOME/.pki/nssdb

nginx basic auth

Scenario: Password protected certain area of sub-dir of the web server content.

See Quote: Basic HTTP Auth nginx

location  /  {
  auth_basic            "Restricted";
  auth_basic_user_file  htpasswd;

htppasswd is the file store all your username and password, and is relative to directory of nginx configuration file nginx.conf.

To generate an .htpasswd file in linux, most common solution would be using openssl

4 algorithms can be chosen, (crypt, Apache MD5, MD5 and Salted SHA-1)

# this example uses crypt encryption
printf "(username):$(openssl passwd -crypt actual_passwd)\n" >> .htpasswd
# this example uses apr1 (Apache MD5) encryption
printf "(username):$(openssl passwd -apr1 actual_passwd)\n" >> .htpasswd
# this example uses MD5 encryption
printf "(username):$(openssl passwd -1 actual_passwd)\n" >> .htpasswd
# This example uses SSHA (Salted SHA-1) encryption
echo "(username):{SSHA}$(echo -n 'actual_passwdSALT' | openssl dgst -binary -sha1 | sed 's/$/MYSALT/' | base64)" >> .htpasswd