Generate SSL Certificate
A SSL cetificate enables an encrypted connection between client and server. In this exercise, will try to generate self signed certificate and a Let’s encrypt certificate with acme.sh.
Self signed cert using OpenSSL
mkdir -p /etc/nginx/certificates
cd /etc/nginx/certificates
# Generate a private key for the CA
openssl genrsa 2048 > ca-key.pem
# Generate the X509 certificate for the CA
openssl req -new -x509 -nodes -days 365000 \
-key ca-key.pem -out ca-cert.pem
# Create a private key and certificate request
openssl req -newkey rsa:2048 -days 365000 \
-nodes -keyout server-key.pem -out server-req.pem
# remove the passphrase if any
openssl rsa -in server-key.pem -out server-key.pem
# Create a self-signed X509 certificate
openssl x509 -req -in server-req.pem -days 365000 \
-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 \
-out server-cert.pem
# update the permission
chmod 644 *
# Verify the X509 certificate
openssl verify -CAfile ca-cert.pem server-cert.pem
Generate with acme script
# run as root
yum install socat -y
wget -O - https://get.acme.sh | sh -s email=<youremail>
ln -s /root/.acme.sh/acme.sh /usr/local/bin/acme.sh
# change default authority
/usr/local/bin/acme.sh --set-default-ca --server letsencrypt
/usr/local/bin/acme.sh --register-account -m <youremail>
# elliptic curve cryptography (ECC)
/usr/local/bin/acme.sh --issue -d <yourdomain> --standalone -k ec-256
/usr/local/bin/acme.sh --installcert -d <yourdomain> --ecc --key-file /home/ec2-user/certificates/server.key --fullchain-file /home/ec2-user/certificates/server.crt
# remove a domain
/usr/local/bin/acme.sh --remove --domain <yourdomain> --ecc
# renew
/usr/local/bin/acme.sh --renew --domain <yourdomain>l --ecc --force
# Get pkcs12(pfx) format
# /usr/local/bin/acme.sh --toPkcs -d <domain> [--password pfx-password]
/usr/local/bin/acme.sh --toPkcs -d <yourdomain> --password changeme --ecc