openssl genrsa -out ca.key 4096.openssl req -new -x509 -key ca.key -out ca.crtopenssl genrsa -out machine_name.key 4096.openssl rsa -in example.org.key -pubout -out machine_name.pubkey.openssl req -new -key machine_name.key -out machine_name.csr.Create and sign the certificate for the machine: openssl x509 -req -in machine_name.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out machine_name.crt.
ssl_certificate /path/to/certificate/machine;
ssl_certificate_key /path/to/key/certificate/machine;
ssl_trusted_certificate /path/to/certificate/authority;
service nginx reload.cp oldCA.crt oldCA.crt.old.openssl req -new -keyCA.key -out newCA.csr.Use the same private key as the old certificate.
Caution: Configure the response file as the old certificate (exactly the same answers to the following questions). If this is not respected, then the certificate will not be considered a trusted certificate.
openssl x509 -req -days 365 -in newCA.csr -signkeyCA.key -out newCA.crt.openssl verify -CAfile newCA.crt -verbose certificateServerAlreadyExisting.crt.