SSL Certificates

# Generate self-signed certificate (valid for 365 days)
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout /etc/ssl/private/self-signed.key \
  -out /etc/ssl/certs/self-signed.crt \
  -subj "/C=US/ST=State/L=City/O=Organization/CN=localhost"
 
# Or with interactive prompt
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout /etc/ssl/private/self-signed.key \
  -out /etc/ssl/certs/self-signed.crt

server {
    listen 443 ssl http2;
    server_name example.com;
 
    ssl_certificate /etc/ssl/certs/self-signed.crt;
    ssl_certificate_key /etc/ssl/private/self-signed.key;
 
    # Rest of configuration
}

# View certificate details
openssl x509 -in /path/to/certificate.crt -text -noout
 
# Check expiration date
openssl x509 -enddate -noout -in /path/to/certificate.crt
 
# Verify certificate and key match
openssl x509 -modulus -noout -in /path/to/certificate.crt | md5sum
openssl rsa -modulus -noout -in /path/to/private.key | md5sum
# Both commands should show same hash

# Convert PEM to DER
openssl x509 -inform PEM -in certificate.pem -outform DER -out certificate.der
 
# Convert DER to PEM
openssl x509 -inform DER -in certificate.der -outform PEM -out certificate.pem

# Create PKCS12 from PEM
openssl pkcs12 -export -in certificate.pem -inkey private.key -out certificate.p12
 
# Extract from PKCS12
openssl pkcs12 -in certificate.p12 -out certificate.pem -nodes

# Check certificate chain
openssl s_client -connect example.com:443
 
# Verify chain matches
openssl verify -CAfile ca-bundle.crt certificate.crt

# For Nginx (cert + chain together)
cat certificate.crt ca-bundle.crt > certificate-combined.crt
 
# View combined
openssl crl2pkcs7 -nocrl -certfile certificate-combined.crt | openssl pkcs7 -print_certs -text

# Allow HTTPS
sudo ufw allow 443/tcp      # UFW
sudo firewall-cmd --permanent --add-port=443/tcp  # Firewalld
 
# Allow both HTTP and HTTPS
sudo ufw allow 'Nginx Full'
sudo ufw allow http https