Create an SSL certificate
You can create your own SSL certificate with the OpenSSL binary. A certificate request can then be sent to a certificate authority (CA) to get it signed into a certificate, or if you have your own certificate authority, you may sign it yourself, or you can use a self-signed certificate (because you just want a test certificate or because you are setting up your own CA).
NOTE: The current Bitnami GitLab installation already includes the server.key and the server.crt certificates. It is strongly recommended to back up these files before create a new ones. Run the following commands to make sure that you save a copy of the current self-signed certificates:
$ sudo mv /etc/gitlab/ssl/server.crt /etc/gitlab/ssl/server.crt.back $ sudo mv /etc/gitlab/ssl/server.key /etc/gitlab/ssl/server.key.back
Generate a new private key:
$ sudo openssl genrsa -out /etc/gitlab/ssl/server.key 2048
Create a certificate:
$ sudo openssl req -new -key /etc/gitlab/ssl/server.key -out /etc/gitlab/ssl/cert.csr
IMPORTANT: Enter the server domain name when the above command asks for the “Common Name”.
Send cert.csr to the certificate authority. When the certificate authority completes their checks (and probably received payment from you), they will hand over your new certificate to you.
Until the certificate is received, create a temporary self-signed certificate:
$ sudo openssl x509 -in /etc/gitlab/ssl/cert.csr -out /etc/gitlab/ssl/server.crt -req -signkey /etc/gitlab/ssl/server.key -days 365
Back up your private key in a safe location after generating a password-protected version as follows:
$ sudo openssl rsa -des3 -in /etc/gitlab/ssl/server.key -out privkey.pem
Note that if you use this encrypted key in the configuration file, GitLab won’t be able to start Nginx after any gitlab-ctl reconfigure command. Regenerate the key without password protection from this file as follows:
$ sudo openssl rsa -in privkey.pem -out /etc/gitlab/ssl/server.key
Find more information about certificates at http://www.openssl.org.