Create an SSL certificate

You can create your own SSL certificate with the OpenSSL binary. A certificate request can then be sent to a certificate authority (CA) to get it signed into a certificate, or if you have your own certificate authority, you may sign it yourself, or you can use a self-signed certificate (because you just want a test certificate or because you are setting up your own CA).

NOTE: The current Bitnami GitLab installation already includes the server.key and the server.crt certificates. It is strongly recommended to back up these files before create a new ones. Run the following commands to make sure that you save a copy of the current self-signed certificates:

   $ sudo mv /etc/gitlab/ssl/server.crt /etc/gitlab/ssl/server.crt.back
   $ sudo mv /etc/gitlab/ssl/server.key /etc/gitlab/ssl/server.key.back
  • Generate a new private key:

    $ sudo openssl genrsa -out /etc/gitlab/ssl/conf/server.key 2048
  • Create a certificate:

    $ sudo openssl req -new -key /etc/gitlab/ssl/server.key -out  /etc/gitlab/ssl/cert.csr

    IMPORTANT: Enter the server domain name when the above command asks for the “Common Name”.

  • Send cert.csr to the certificate authority. When the certificate authority completes their checks (and probably received payment from you), they will hand over your new certificate to you.

  • Until the certificate is received, create a temporary self-signed certificate:

    $ sudo openssl x509 -in  /etc/gitlab/ssl/cert.csr -out  /etc/gitlab/ssl/server.crt -req -signkey  /etc/gitlab/ssl/server.key -days 365
  • Back up your private key in a safe location after generating a password-protected version as follows:

    $ sudo openssl rsa -des3 -in  /etc/gitlab/ssl/server.key -out privkey.pem

Note that if you use this encrypted key in the configuration file, GitLab won’t be able to start Nginx after any gitlab-ctl reconfigure command. Regenerate the key without password protection from this file as follows:

    $ sudo openssl rsa -in privkey.pem -out  /etc/gitlab/ssl/server.key

Find more information about certificates at http://www.openssl.org.

Last modification December 17, 2018