February 09, 2015

Self Signed SSL Certificates for Development

^ Ad space. I gotta pay the bills!

Create a self-signed SSL certificate for testing development environments.We'll create a self-signed certificate. This is one that is not "valid", in that it hasn't been paid for and will not be verified by third parties.

It will still, however, encrypt our data and is useful for testing SSL connections in development.

Some Nginx Setup

We start by copying Nginx's default configuration:

sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/xip.io
sudo vim /etc/nginx/sites-available/xip.io

Make the new file look like this:

server {
    listen 80:

    root /var/www;

    server_name 192.168.22.14.xip.io;

    location / {
        try_files $uri $uri/ =404;
    }
}

Then we can configtest and reload Nginx:

sudo service nginx configtest
sudo service nginx reload

My development server on vagrant is at the IP address 192.168.22.14. We can access the server at domain name 192.168.22.14.xip.io.

Then enable that virtual host:

sudo ln -s /etc/nginx/sites-available/xip.io /etc/nginx/sites-enabled/xip.io
sudo service nginx configtest
sudo service nginx reload
echo "Hello, www!" | sudo tee "/var/www/index.html"

If we use https://192.168.22.14.xip.io, we'll get a Connection Refused error - there's no Nginx configuration for SSL yet.

Create a Self-Signed SSL

Create the location where we will create the certificate and related files:

sudo mkdir /etc/ssl/xip.io
cd /etc/ssl/xip.io

Generate a key, csr and the certificate:

# Generate a new private key
sudo openssl genrsa -out "/etc/ssl/xip.io/xip.io.key" 2048

# Generate a CSR using the private key for encryption
sudo openssl req -new -key "/etc/ssl/xip.io/xip.io.key" -out "/etc/ssl/xip.io/xip.io.csr"
> Country Name: US
> State: Connecticut
> City: New Haven
> Organization Name: xip.io
> Organizational Unit:
> Common Name: *.xip.io
> Email:
> Password:
> Company Name:

Note that I'm using a wildcard domain *.xip.io, since the domain will usually have a different/many subdomains.

Lastly, we sign and generate our certificate:

sudo openssl x509 -req -days 365 \
    -in "/etc/ssl/xip.io/xip.io.csr" \
    -signkey "/etc/ssl/xip.io/xip.io.key" \
    -out "/etc/ssl/xip.io/xip.io.crt"

Then we'll see we have a certificate file xip.io.crt generated!

Add SSL Configuration to Nginx

sudo vim /etc/nginx/sites-available/xip.io

Make the Nginx configuration look like this (slightly updated from what was in the video):

server {
    listen 80:
    listen 443 ssl;

    root /var/www;

    server_name 192.168.22.14.xip.io;

    ssl_certificate      /etc/ssl/xip.io/xip.io.crt;
    ssl_certificate_key  /etc/ssl/xip.io/xip.io.key;

    location / {
        try_files $uri $uri/ =404;
    }
}

Then we can configtest and reload Nginx:

sudo service nginx configtest
sudo service nginx reload

We can then use any URL such as https://192.168.22.14.xip.io or https://some.subdomain.192.168.22.14.xip.io in our browser. We'll get a big, scary alert message saying it's not a valid (verified) SSL certificate, but we can click through these warnings and continue to use our site under a secure connection!

All Topics