NGINX - Managing SSL Certificates Using OpenSSL

Libraries: If you want this lab, consider one of these libraries.
Cloud

NGINX - Managing SSL Certificates Using OpenSSL

Before we can start building our world-changing website or application on LEMP, we have to lay the foundation - the stack. In this hands-on lab, we will walk through the creation of self-signed SSL certificates. Completing this lab will provide have a good understanding of how to create SSL certificates using OpenSSL on Ubuntu Linux.

Get started Contact sales

Lab Info

Level

Intermediate

Last updated

Sep 25, 2025

Duration

45m

Challenge

Create a Certificate Authority Private Key and Certificate
Become root:
```
sudo su -
```
Create a directory to store our certificates:
```
mkdir -p /etc/nginx/certificates
```
```
cd /etc/nginx/certificates
```
Generate a private key for the CA:
```
openssl genrsa 2048 > ca-key.pem
```
Generate the X509 certificate for the CA. For this step, just hit Enter for all the questions and use the default answers:
```
openssl req -new -x509 -nodes -days 365000 
      -key ca-key.pem -out ca-cert.pem
```
Challenge

Create a Private Key for the NGINX Server
Generate a private key and create a certificate request for the NGINX server:
```
openssl req -newkey rsa:2048 -days 365000 
      -nodes -keyout server-key.pem -out server-req.pem
```
We will have to answer some questions.

Process the key to remove the passphrase:
```
openssl rsa -in server-key.pem -out server-key.pem
```
We should see the following: writing RSA key
Challenge

Create a Self-Signed Certificate for the NGINX Server
Generate a self-signed X509 certificate for the NGINX server:
```
openssl x509 -req -in server-req.pem -days 365000 
      -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 
      -out server-cert.pem
```
We now have self-signed X509 certificates for the NGINX server in the /etc/nginx/certificates directory.

We need to allow the nginx user access to the certificates. Add read permission for group and other:
```
chmod 644 *
```
Challenge

Verify the Self-Signed Certificate for the NGINX Server
Let's use the openssl verify command to verify that the X509 certificate was correctly generated:
```
openssl verify -CAfile ca-cert.pem server-cert.pem
```
We should see the following: server-cert.pem: OK

About the author

Pluralsight Skills

Pluralsight Skills gives leaders confidence they have the skills needed to execute technology strategy. Technology teams can benchmark expertise across roles, speed up release cycles and build reliable, secure products. By leveraging our expert content, skill assessments and one-of-a-kind analytics, keep up with the pace of change, put the right people on the right projects and boost productivity. It's the most effective path to developing tech skills at scale.

Real skill practice before real-world application

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Learn by doing

Engage hands-on with the tools and technologies you’re learning. You pick the skill, we provide the credentials and environment.

Follow your guide

All labs have detailed instructions and objectives, guiding you through the learning process and ensuring you understand every step.

Turn time into mastery

On average, you retain 75% more of your learning if you take time to practice. Hands-on labs set you up for success to make those skills stick.