# Self-Signed SSL: Nginx on Mac (Part 3)

Till now, we have  [installed Nginx](https://blog.royalecheese.com/installing-nginx-on-mac-part-1) and did a  [simple configuration](https://blog.royalecheese.com/simple-configuration-of-nginx-on-mac-part-2) to host an html file locally.

In this part we will be configuring Nginx with a self-signed certificate. We will be creating a self signed certificate using openssl and make Nginx use it for serving content over https. Let's get our hands dirty. Open our pal, Terminal and lets create a couple of folders to store our key and certificate. Fire the following commands:

```
mkdir -p /usr/local/etc/ssl/private
mkdir -p /usr/local/etc/ssl/certs
```

Ideally you can create these folders anywhere but it's a good practice to have them at the above given path. We will now create key and certificate by running the below command:


```
sudo openssl req \
  -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout /usr/local/etc/ssl/private/self-signed.key \
  -out /usr/local/etc/ssl/certs/self-signed.crt
```

Let's alter our server context from previous tutorial. The updated file is as below.

```
events {

}


http {
    server {
        # Listen on port 80 which is the default http port
        listen 80;

        # Set a permanent redirection from http to https
        return 301 https://localhost:443;
    }
}
```

Add another server context inside http context with configuration and locations relating to SSL


```
 server {
       listen       443 ssl;

       # location of ssl certificate
       ssl_certificate /usr/local/etc/ssl/certs/self-signed.crt;

       # location of ssl key
       ssl_certificate_key /usr/local/etc/ssl/private/self-signed.key;
    }
```


Add location context inside the ssl server context

```
location / {
    root   /Users/arjav/Desktop/www;
    index  index.html index.htm;
}
```

This is the whole configuration file:

```
events {

}

http {
    # HTTP server
    server {
        listen       80;
        return 301 https://localhost:443;
    }


    # HTTPS server
    server {
       listen       443 ssl;

       ssl_certificate /usr/local/etc/ssl/certs/self-signed.crt;
       ssl_certificate_key /usr/local/etc/ssl/private/self-signed.key;

       location / {
           root   /Users/arjav/Desktop/www;
           index  index.html index.htm;
       }
    }
}
```

As a last step we will need to add the self-signed certificate to the system keychain. Run the below command in your terminal.

```
sudo security add-trusted-cert \
  -d -r trustRoot \
  -k /Library/Keychains/System.keychain /usr/local/etc/ssl/certs/self-signed.crt
```

Voila! That's it. In your terminal verify your configuration file by running ```nginx -t``` and if everything looks okay reload your Nginx server by running ```nginx -s reload```.
Visit  [https://127.0.0.1](https://127.0.0.1). You will still see a red flag or "Not secure" sign in your browser saying that your certificate is invalid, but that it's because not signed by a third-part authority. Rest assured the content is served over secure channels.

In the [next chapter](https://blog.royalecheese.com/ssl-advanced-configuration-nginx-on-mac-part-4) we will look at some advanced ssl configuration options for better security, caching and optimisation.

