TLS aka SSL is a cryptographic protocol to encrypt communication over networks.
A private key should be kept secret and secure.
You should create a backup of your private key, so that a new certificate can be created without problems in case of loss or relocation.
An RSA private key with a size of 4096 bits can be created this way.
The minimum bit size for RSA keys should be 2048 (2021/06).
An ECDSA private key with the elliptic curve prime256v1 bits can be created this way.
Now the CSR needs to be generated1. Please enter the following line in the console.
Now you will be asked for some information, which you should provide truthfully.
1 2 3 4 5 6 7 8 9
The certificate is validated for the domain specified under the common name and is only valid for this address. However, a so-called wildcard certificate can also be issued by simply specifying an asterisk (*) instead of the subdomain (www is also just a subdomain). For example:
This certificate would then be valid for all subdomains. If you enter a password at A challenge password, Apache can only be started after entering the password after the certificate has been included.
The CSR information can be placed directly with
You can check the contents of the CSR with the following command.
Official Certificate Authority
If the CSR contains the completely correct information, you can now pass it on to a certification authority.
If you do not need an official certificate e.g., for a development environment, you can also sign it yourself. Self-signed certificates generate a warning in most browsers. The visitor must add an exception to view the page encrypted.
This is how to self sign a certificate that is valid for one year.
The CSR information can be placed directly into the certificate generation by using
Additionally, the listed parameters can be added.
||Uses SHA512 instead of SHA256 as hash algorithm.|
||Disables asking for a password. Useful for non-interactive generation.|
Use this command to sign the certificate with your own Certificate Authority certificate.
CAcreateserial creates a file to store the number of created certificates to use them in the serial number of the certificate to avoid duplicates. So the parameter
CAcreateserial is only valid for the first run to create the file. For all future certificate creations the parameter
CAserial /path/to/serial must be used instead.
It is assumed that a configuration for a (virtual) host already exists and that this host should now additionally be made accessible via TLS. All you have to do is copy the configuration file and change the port to
The asterisk can of course be replaced by an IP. Optionally, separate log files can be created for a better access overview.
Reload NGINX configuration.
Now add the path to the private key, certificate, and enable TLS mode.
1 2 3
Finally, all that is left is to restart Apache or reload the configuration. This is done with the following command:
If the settings were not accepted, repeat the command, but replace reload with restart.
As a note, one IP is required per domain/certificate. A wildcard certificate is only valid for all subdomains of a domain.
To increase the security even more, the Diffie-Hellman parameters should be generated with a high encryption strength e.g.,
Without an DH parameter all DH parameter related ciphers can not be used.