Create ssl certificate, and install it using certutil

Quote from Nginx SSL document
4 steps for creating your own ssl certificate.

  1. Create the server private key
  2. openssl genrsa -des3 -out hans.key 4096
  3. Create the Certificate Signing Request Note: this *.csr is just certificate request file
  4. openssl req -new -key hans.key -out hans.csr
  5. Remove the necessity of entering a passphrase for starting up nginx with SSL using the above private key
  6. cp hans.key hans.key.org && openssl rsa -in hans.key.org -out hans.key
  7. Finally sign the certificate using the above private key and CSR
  8. openssl x509 -req -days 365 -in hans.csr -signkey hans.key -out hans.crt

Next thing is to deploy it on your nginx server using the newly signed certificate and private key.

server {
    server_name YOUR_DOMAINNAME_HERE;
    listen 443;
    ssl on;
    ssl_certificate /(nginx conf dire)/hans.crt;        #Signed Certificate
    ssl_certificate_key /(nginx conf dire)/hans.key;    #Private Key
}

Finally import the certificate, and install it on your local machine. (Only for chrome, firefox install it on its own.)
This would need package libnss3-tools, which contains certutil to do the job of Adding self-signed certficates.
Either use firefox to export the certificate, or use the previous *.crt file, but *.crt file need to be renamed to *.pem.

  • To insert a certificate record:
  • certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "(the irrelevant name to identify this cert)" -i hans.pem
    
  • To show all the certificate added on your local machine:
  • certutil -L -d sql:$HOME/.pki/nssdb
    
  • To delete one particular certificate based on its name:
  • certutil -D -n (the corresponding name for certificate to be deleted) -d sql:$HOME/.pki/nssdb