BestHub
Sign in
Information Security 6 min read

How to Create a Trusted Self‑Signed SSL Certificate for Internal IP Access with OpenSSL and Nginx

This guide shows how to generate a self‑signed SSL certificate for an internal IP address using OpenSSL, configure Nginx to serve HTTPS without security warnings, and import the certificate into Chrome with the necessary extensions to avoid common name errors.

Raymond Ops
Raymond Ops
Raymond Ops
How to Create a Trusted Self‑Signed SSL Certificate for Internal IP Access with OpenSSL and Nginx

OpenSSL Self‑Signed Certificate

Install OpenSSL and create a directory for private keys.

<code>yum install openssl openssl-devel -y
mkdir -pv /etc/ssl/private</code>

Generate a private key and CSR for the internal IP (e.g., 192.168.199.104).

<code>cd /etc/ssl/private/
openssl req -new -newkey rsa:2048 -sha256 -nodes -out 192.168.199.104.csr -keyout 192.168.199.104.key -subj "/C=CN/ST=Beijing/L=Beijing/O=Super Inc./OU=Web Security/CN=192.168.199.104"
openssl x509 -req -days 365 -in 192.168.199.104.csr -signkey 192.168.199.104.key -out 192.168.199.104.crt</code>

Create an extension file (http.ext) to add required usages and subject alternative names.

<code>keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @SubjectAlternativeName

[SubjectAlternativeName]
IP.1 = 127.0.0.1
IP.2 = 192.168.199.104</code>

Sign the certificate with the extension file.

<code>openssl x509 -req -days 365 -in 192.168.199.104.csr -signkey 192.168.199.104.key -out 192.168.199.104.crt -extfile http.ext</code>

Configure Nginx to use the new certificate.

Nginx SSL configuration
Nginx SSL configuration
<code>nginx -t
nginx -s reload</code>

Copy the generated

192.168.199.104.crt

to a Windows machine and import it into Chrome (Settings → Privacy & Security → Manage certificates → Import).

Chrome certificate import
Chrome certificate import

Because Chrome may reject the certificate, delete any previously imported version, then add the extension file (http.ext) to the certificate store so Chrome recognises the IP as a valid subject alternative name.

Chrome certificate removal
Chrome certificate removal

After re‑importing the updated certificate, reload Nginx and clear Chrome’s cache before accessing the site.

Final verification
Final verification

Summary

Chrome requires an additional extension file (http.ext) that defines

keyUsage

,

extendedKeyUsage

, and

subjectAltName

for the internal IP.

Two commands generate the key/CSR and sign the certificate with the extension.

Import the resulting

.crt

into Chrome’s trusted root store.

Reload Nginx and clear browser cache to complete the setup.

LinuxNginxChromeOpenSSLsslself-signed certificate
Raymond Ops
Written by

Raymond Ops

Linux ops automation, cloud-native, Kubernetes, SRE, DevOps, Python, Golang and related tech discussions.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment