BestHub
Sign in
Information Security 8 min read

HTTPS Configuration Using Alibaba Cloud Free SSL and OpenSSL Self‑Signed Certificates

This guide shows how to enable HTTPS on Nginx by either obtaining a free Alibaba Cloud SSL certificate—generating a CSR, submitting it, and configuring the server—or creating a self‑signed OpenSSL certificate with custom SANs, installing it, updating hosts, and verifying the secure connection.

DaTaobao Tech
DaTaobao Tech
DaTaobao Tech
HTTPS Configuration Using Alibaba Cloud Free SSL and OpenSSL Self‑Signed Certificates

This article explains two methods to enable HTTPS for a website: using an Alibaba Cloud free SSL certificate and using a self‑signed certificate generated with OpenSSL.

Method 1 – Alibaba Cloud certificate

1. Generate a CSR file with OpenSSL:

openssl req -new -nodes -sha256 -newkey rsa:2048 -keyout [$Key_File] -out [$OpenSSL_CSR]

Fill the prompted fields (Organization Name, Country Code, etc.) to create the CSR.

2. Submit the CSR to Alibaba Cloud’s Certificate Authority (CA) via the “Free SSL Certificate” product page, complete the domain verification, and download the issued certificate (including the Nginx version).

3. Configure Nginx:

server {
    listen 443 ssl;
    ssl_certificate      /path/to/server.crt;
    ssl_certificate_key  /path/to/server.key;
    ...
}

4. Verify the HTTPS connection by accessing the domain.

Method 2 – OpenSSL self‑signed certificate

1. Prepare a CSR configuration file (csr.config) with the desired subjectAltName entries, e.g.:

[req]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca

[req_distinguished_name]
countryName = CN
stateOrProvinceName = ZJ
localityName = HZ
organizationName = FE
organizationalUnitName = IT
commonName = ccCrt

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = *.lanchen.com
DNS.2 = *.lanchen.cn

2. Generate the self‑signed certificate and private key:

# Generate self‑signed certificate
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt -config csr.config

3. Add the generated certificate to the system trust store (set to “Always trust”).

4. Update the local /etc/hosts file to map the test domain to 127.0.0.1.

5. Configure Nginx with the generated files and, if needed, a variable port for proxying:

server {
    listen 443 ssl;
    server_name ~^(?
.+).lanchen.cn$;
    ssl_certificate      ssl-test/server.crt;
    ssl_certificate_key  ssl-test/server.key;
    location / {
        proxy_pass http://127.0.0.1:$port;
    }
}

6. Access https://demo.lanchen.com (or with the appropriate port) to confirm the setup.

Notes

If the certificate lacks DNS extensions, browsers will reject the connection.

Self‑signed certificates must be trusted locally; otherwise users will see security warnings.

Conclusion

The guide demonstrates how to obtain a free Alibaba Cloud SSL certificate for production Nginx servers and how to create a self‑signed certificate for local development, covering CSR generation, certificate installation, Nginx configuration, and verification steps.

DevOpsNginxOpenSSLcertificateHTTPSSSL
DaTaobao Tech
Written by

DaTaobao Tech

Official account of DaTaobao Technology

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment