I recently generated a self-signed cert to use with NGINX via it's GUI.
- Generate cert and key
- Upload these via the GUI
- Apply to each Proxy Host
Now when I visit my internal sites (eg, jellyfin.home) I get a warning (because this cert is not signed by a trusted CA) but the connection is https.
My question is, does this mean that my connection is fully encrypted from my client (eg my laptop) to my server hosting Jellyfin? I understand that when I go to jellyfin.home, my PiHole resolves this to NGINX, then NGINX completes the connection to the IP:port it has configured and uses the cert it has assigned to this proxy host, but the Jellyfin server itself does not have any certs installed on it.
https://we.tl/t-JuecCJUxc0
This is an extract from Demystifying Cryptography with OpenSSL 3.0 Discover the best techniques to enhance your network security with OpenSSL 3.0 ! It's really a good read and helped me to make a secure and self-signed certificate environment. In this example though he uses the ED448 algorithm which won't work on most browser (if any...).
Last year when I followed this tutorial I also tried with EdDSA with Curve25519 but also here TLS wasn't working and the certificate just got rejected by Firefox. See here ! It seems resolved though so you can give it a shot :).
Else just fall down to RSA and longer keys. Why? Just to quote something else from the book:
Hope it helps :)