mkdir /etc/ssl/ssls/
cd /etc/ssl/ssls/

openssl req -nodes -newkey rsa:2048 -keyout site_name.key -out site_name.csr

When last command asks for CN use your domain name, it is important. For example:

  • - for single domains
  • * - for wildcard domains

Copy csr and paste to

cat site_name.csr 

When your get your archieve extract it in /etc/ssls/ and do

for f in site_name.crt ; do cat $f; echo;
done > ssl-bundle.crt

Next you can add to your nginx server:

ssl on;
ssl_certificate /etc/ssl/ssls/ssl-bundle.crt;
ssl_certificate_key /etc/ssl/ssls/site_name.key;

Note. If you created key with PEM passphrase when you executed openssl req (it will happen if you will not pass -nodes key), then not forget to remove it from .key before using in nginx

openssl rsa -in /etc/ssl/ssls/site_name.key -out /etc/ssl/ssls/site_name_no_pass.key

And use site_name_no_pass.key in nginx config