This is an old revision of the document!
SSL
Be your own SSL Certificate Authority.
This tutorial is based on the domain nextcloud.home. So change the domain to your specific domain.
It is also important that the domain address gets redirected from your router. This can also be set in the /etc/hosts file of your computer, but to reach the domain on every device, it is easier to change this directly in the router:
nextcloud.domain SERVER-IP
Generating the private key and root certificate
openssl genrsa -des3 -out myCA.key 2048
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem
Change the following information as you wish. It appears when you view the certificate through your browser.
Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []: Email Address []:
Installing your root certificate on all the devices
You'll need to create a myCA.pem file on every device and copy the content of cat myCA.pem file wherever you created it in section generating-the-private-key-and-root-certificate.
Arch Linux
sudo trust anchor --store myCA.pem
Android
Settings - Security - Encryption and credentials - Install a certificate
Check under:
Settings - Security - Trusted credentials - User
Creating CA-Signed certificates for your domains
openssl genrsa -out domain.home.key 2048
openssl req -new -key DOMAIN.home.key -out DOMAIN.home.csr
nano DOMAIN.home.ext
authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = DOMAIN.home
Script
Create the file in nano /etc/nginx/ssl/ssl.sh.
#!/bin/sh if [ "$#" -ne 1 ] then echo "Usage: Must supply a domain" exit 1 fi DOMAIN=$1 openssl genrsa -out $DOMAIN.key 2048 openssl req -new -key $DOMAIN.key -out $DOMAIN.csr cat > $DOMAIN.ext << EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = $DOMAIN EOF openssl x509 -req -in $DOMAIN.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial \ -out $DOMAIN.crt -days 825 -sha256 -extfile $DOMAIN.ext
chmod +x ssl.sh ./ssl.sh domain.home
Nginx
Check also nginx
ssl-params.conf
nano /etc/nginx/conf.d/ssl-params.conf
ssl_protocols TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:10m;
example
server {
listen 80;
listen [::]:80;
server_name nextcloud.home;
# enforce https
return 301 https://$server_name:443$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name nextcloud.home;
ssl_certificate /etc/nginx/ssl/nextcloud.home.crt;
ssl_certificate_key /etc/nginx/ssl/nextcloud.home.key;
include conf.d/ssl-params.conf;
access_log /var/log/nginx/nextcloud.home_access_log;
error_log /var/log/nginx/nextcloud.home-error_log;
location / {
your things;
}
}