[GH-ISSUE #593] Generation of self-signed certificates #496

New issue

Open

opened 2026-02-26 06:33:07 +03:00 by kerem · 29 comments

kerem commented 2026-02-26 06:33:07 +03:00

Owner

Copy link

Originally created by @typoworx-de on GitHub (Sep 3, 2020).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/593

Is your feature request related to a problem? Please describe.
I'm running docker instance in intranet/private-network and require https for some docker-instances (like docker-registry). The private-lan runs on TLD ".lan" so it's not possible to use letsencrypt by routing domain-name over router as letsencrypt only supports domains/tld's reachable from intranet.

Describe the solution you'd like
I noticed nginx-proxy-manager already supports custom-certs which is awesome! I would love to have an additional option in that dropdown in section "SSL Certificates" that could be named "Create self-signed certificate" and then routes this request to f.e. the linux-tool mkcert.

https://blog.filippo.io/mkcert-valid-https-certificates-for-localhost/

mkcert my-private-domain.lan

Describe alternatives you've considered
I could run mkcert on my local machine and manually upload the cert-files into nginx-proxy-manager.

Additional context
I think I'm not the only user who runs a docker instance in private/lan and think this feature would support/help other users as well.

Originally created by @typoworx-de on GitHub (Sep 3, 2020). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/593 **Is your feature request related to a problem? Please describe.** I'm running docker instance in intranet/private-network and require https for some docker-instances (like docker-registry). The private-lan runs on TLD ".lan" so it's not possible to use letsencrypt by routing domain-name over router as letsencrypt only supports domains/tld's reachable from intranet. **Describe the solution you'd like** I noticed nginx-proxy-manager already supports custom-certs which is awesome! I would love to have an additional option in that dropdown in section "SSL Certificates" that could be named "Create self-signed certificate" and then routes this request to f.e. the linux-tool mkcert. https://blog.filippo.io/mkcert-valid-https-certificates-for-localhost/ ``` mkcert my-private-domain.lan ``` **Describe alternatives you've considered** I could run mkcert on my local machine and manually upload the cert-files into nginx-proxy-manager. **Additional context** I think I'm not the only user who runs a docker instance in private/lan and think this feature would support/help other users as well.

kerem added the

enhancement

label 2026-02-26 06:33:07 +03:00

kerem commented 2026-02-26 06:33:07 +03:00

Author

Owner

Copy link

@typoworx-de commented on GitHub (Sep 3, 2020):

As a short proof-of-concept I've run a shell-console on my nginx-proxy-manager docker instance trying this:

[root@docker-nginx-ssl-proxy:/usr/local/bin]# wget https://github.com/FiloSottile/mkcert/releases/download/v1.4.1/mkcert-v1.4.1-linux-amd64

[root@docker-nginx-ssl-proxy:/usr/local/bin]# mv mkcert-v1.4.1-linux-amd64 mkcert

root@docker-nginx-ssl-proxy:/usr/local/bin]# mkcert *.typoworx.lan
Using the local CA at "/root/.local/share/mkcert" ✨

Created a new certificate valid for the following names 📜
 - "*.test.lan"

Reminder: X.509 wildcards only go one level deep, so this won't match a.b.typoworx.lan ℹ️

The certificate is at "./_wildcard.typoworx.lan.pem" and the key at "./_wildcard.typoworx.lan-key.pem" ✅

<!-- gh-comment-id:686349558 --> @typoworx-de commented on GitHub (Sep 3, 2020): As a short proof-of-concept I've run a shell-console on my nginx-proxy-manager docker instance trying this: ``` [root@docker-nginx-ssl-proxy:/usr/local/bin]# wget https://github.com/FiloSottile/mkcert/releases/download/v1.4.1/mkcert-v1.4.1-linux-amd64 [root@docker-nginx-ssl-proxy:/usr/local/bin]# mv mkcert-v1.4.1-linux-amd64 mkcert root@docker-nginx-ssl-proxy:/usr/local/bin]# mkcert *.typoworx.lan Using the local CA at "/root/.local/share/mkcert" ✨ Created a new certificate valid for the following names 📜 - "*.test.lan" Reminder: X.509 wildcards only go one level deep, so this won't match a.b.typoworx.lan ℹ️ The certificate is at "./_wildcard.typoworx.lan.pem" and the key at "./_wildcard.typoworx.lan-key.pem" ✅ ```

kerem commented 2026-02-26 06:33:07 +03:00

Author

Owner

Copy link

@bitsvital commented on GitHub (Apr 22, 2021):

For now I use minica. It's super easy. Just spin up an ubuntu:20.04 docker. I have all the instructions written out. If you want the instructions just message me and I'll send them over to you.
https://github.com/jsha/minica

<!-- gh-comment-id:825078741 --> @bitsvital commented on GitHub (Apr 22, 2021): For now I use minica. It's super easy. Just spin up an ubuntu:20.04 docker. I have all the instructions written out. If you want the instructions just message me and I'll send them over to you. https://github.com/jsha/minica

kerem commented 2026-02-26 06:33:07 +03:00

Author

Owner

Copy link

@WillJBrown commented on GitHub (May 16, 2021):

I'd be interested in those instructions if it automates the process a little more than what typoworx-de described

<!-- gh-comment-id:841887322 --> @WillJBrown commented on GitHub (May 16, 2021): I'd be interested in those instructions if it automates the process a little more than what typoworx-de described

kerem commented 2026-02-26 06:33:07 +03:00

Author

Owner

Copy link

@jc21 commented on GitHub (May 16, 2021):

The mkcert binary is shipped with the docker image, but it's not used by the software yet. I was planning to add it as an option on the SSL dropdown, but other things have taken more priority. PR's are welcome :)

<!-- gh-comment-id:841890167 --> @jc21 commented on GitHub (May 16, 2021): The `mkcert` binary is shipped with the docker image, but it's not used by the software yet. I was planning to add it as an option on the SSL dropdown, but other things have taken more priority. PR's are welcome :)

kerem commented 2026-02-26 06:33:07 +03:00

Author

Owner

Copy link

@bitsvital commented on GitHub (May 17, 2021):

I'd be interested in those instructions if it automates the process a little more than what typoworx-de described

Hi @WillJBrown ,
I actually created a docker image that does it for you. I have all the instructions typed out in the repository. You can use the docker image or just spin up a Ubuntu image yourself and the instructions are about the same. If you run into any problems, questions, or need any help just let me know. I’ll be more than happy to help you.
Here is the the docker image.
https://hub.docker.com/r/bitsvital/minica-bv

<!-- gh-comment-id:841971004 --> @bitsvital commented on GitHub (May 17, 2021): > I'd be interested in those instructions if it automates the process a little more than what typoworx-de described Hi @WillJBrown , I actually created a docker image that does it for you. I have all the instructions typed out in the repository. You can use the docker image or just spin up a Ubuntu image yourself and the instructions are about the same. If you run into any problems, questions, or need any help just let me know. I’ll be more than happy to help you. Here is the the docker image. [https://hub.docker.com/r/bitsvital/minica-bv](https://hub.docker.com/r/bitsvital/minica-bv)

kerem commented 2026-02-26 06:33:08 +03:00

Author

Owner

Copy link

@WillJBrown commented on GitHub (May 18, 2021):

Thanks for that @bitsvital. I got it working today thanks to your page. you might like to clarify that the cert you have to share to clients is the root minica one whereas the one npm needs is the domain specific one. Also thanks to you @jc21 for npm - It's made all the local proxies I set up today so much easier. I don't know any web dev otherwise I would definitely work on a pull request to get this implemented. My knowledge is more in c#, fortran, python, etc. apologies.

<!-- gh-comment-id:843433737 --> @WillJBrown commented on GitHub (May 18, 2021): Thanks for that @bitsvital. I got it working today thanks to your page. you might like to clarify that the cert you have to share to clients is the root minica one whereas the one npm needs is the domain specific one. Also thanks to you @jc21 for npm - It's made all the local proxies I set up today so much easier. I don't know any web dev otherwise I would definitely work on a pull request to get this implemented. My knowledge is more in c#, fortran, python, etc. apologies.

kerem commented 2026-02-26 06:33:08 +03:00

Author

Owner

Copy link

@bitsvital commented on GitHub (May 18, 2021):

@WillJBrown no problem. Thanks for the FYI. I will update that this evening. Feel free to contact me anytime if you need further assistance.

<!-- gh-comment-id:843437093 --> @bitsvital commented on GitHub (May 18, 2021): @WillJBrown no problem. Thanks for the FYI. I will update that this evening. Feel free to contact me anytime if you need further assistance.

kerem commented 2026-02-26 06:33:08 +03:00

Author

Owner

Copy link

@Albonycal commented on GitHub (Jan 19, 2022):

any updates on this?

<!-- gh-comment-id:1016334998 --> @Albonycal commented on GitHub (Jan 19, 2022): any updates on this?

kerem commented 2026-02-26 06:33:08 +03:00

Author

Owner

Copy link

@bonelifer commented on GitHub (Jul 27, 2022):

Having mkcert would be awesome as some of my homelab is local only.

<!-- gh-comment-id:1196213048 --> @bonelifer commented on GitHub (Jul 27, 2022): Having mkcert would be awesome as some of my homelab is local only.

kerem commented 2026-02-26 06:33:08 +03:00

Author

Owner

Copy link

@ThomasHineXYZ commented on GitHub (Feb 4, 2023):

Is there any update for this?

<!-- gh-comment-id:1416645496 --> @ThomasHineXYZ commented on GitHub (Feb 4, 2023): Is there any update for this?

kerem commented 2026-02-26 06:33:08 +03:00

Author

Owner

Copy link

@onlineapps-cloud commented on GitHub (Mar 18, 2023):

Any updates?

<!-- gh-comment-id:1474906198 --> @onlineapps-cloud commented on GitHub (Mar 18, 2023): Any updates?

kerem commented 2026-02-26 06:33:08 +03:00

Author

Owner

Copy link

@tapionx commented on GitHub (Oct 21, 2023):

It would be nice to have this!

<!-- gh-comment-id:1773788767 --> @tapionx commented on GitHub (Oct 21, 2023): It would be nice to have this!

kerem commented 2026-02-26 06:33:08 +03:00

Author

Owner

Copy link

@flavienbwk commented on GitHub (Dec 4, 2023):

Indeed it might be nice. It looks like it was possible before. Why was it removed ?

<!-- gh-comment-id:1839081956 --> @flavienbwk commented on GitHub (Dec 4, 2023): Indeed it might be nice. It looks like [it was possible before](https://github.com/NginxProxyManager/nginx-proxy-manager/issues/576#issuecomment-679076377). Why was it removed ?

kerem commented 2026-02-26 06:33:08 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Jul 8, 2024):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:2212788969 --> @github-actions[bot] commented on GitHub (Jul 8, 2024): Issue is now considered stale. If you want to keep it open, please comment :+1:

kerem commented 2026-02-26 06:33:08 +03:00

Author

Owner

Copy link

@flavienbwk commented on GitHub (Jul 8, 2024):

Community wants to keep it open

<!-- gh-comment-id:2212866214 --> @flavienbwk commented on GitHub (Jul 8, 2024): Community wants to keep it open

kerem commented 2026-02-26 06:33:08 +03:00

Author

Owner

Copy link

@onlineapps-cloud commented on GitHub (Jul 8, 2024):

agree with you.

<!-- gh-comment-id:2213114250 --> @onlineapps-cloud commented on GitHub (Jul 8, 2024): agree with you.

kerem commented 2026-02-26 06:33:08 +03:00

Author

Owner

Copy link

@robnewport commented on GitHub (Jul 8, 2024):

Please keep this open and active.

<!-- gh-comment-id:2213530970 --> @robnewport commented on GitHub (Jul 8, 2024): Please keep this open and active.

kerem commented 2026-02-26 06:33:08 +03:00

Author

Owner

Copy link

@W1BTR commented on GitHub (Sep 26, 2024):

This is still a much wanted feature! Would love to see this added.

<!-- gh-comment-id:2377251890 --> @W1BTR commented on GitHub (Sep 26, 2024): This is still a much wanted feature! Would love to see this added.

kerem commented 2026-02-26 06:33:08 +03:00

Author

Owner

Copy link

@an0o0nym commented on GitHub (Sep 29, 2024):

I would also love to to see it working with NPM!

<!-- gh-comment-id:2381616815 --> @an0o0nym commented on GitHub (Sep 29, 2024): I would also love to to see it working with NPM!

kerem commented 2026-02-26 06:33:08 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (May 5, 2025):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:2849747702 --> @github-actions[bot] commented on GitHub (May 5, 2025): Issue is now considered stale. If you want to keep it open, please comment :+1:

kerem commented 2026-02-26 06:33:08 +03:00

Author

Owner

Copy link

@flavienbwk commented on GitHub (May 5, 2025):

👍

<!-- gh-comment-id:2849748461 --> @flavienbwk commented on GitHub (May 5, 2025): 👍

kerem commented 2026-02-26 06:33:08 +03:00

Author

Owner

Copy link

@tapionx commented on GitHub (May 5, 2025):

yes

<!-- gh-comment-id:2850676907 --> @tapionx commented on GitHub (May 5, 2025): yes

kerem commented 2026-02-26 06:33:08 +03:00

Author

Owner

Copy link

@huco95 commented on GitHub (May 9, 2025):

👍

<!-- gh-comment-id:2867074911 --> @huco95 commented on GitHub (May 9, 2025): 👍

kerem commented 2026-02-26 06:33:08 +03:00

Author

Owner

Copy link

@noto10 commented on GitHub (Jun 4, 2025):

👍

<!-- gh-comment-id:2940381707 --> @noto10 commented on GitHub (Jun 4, 2025): 👍

kerem commented 2026-02-26 06:33:08 +03:00

Author

Owner

Copy link

@r-nd-m commented on GitHub (Jun 4, 2025):

👍

<!-- gh-comment-id:2940395778 --> @r-nd-m commented on GitHub (Jun 4, 2025): 👍

kerem commented 2026-02-26 06:33:08 +03:00

Author

Owner

Copy link

@alexunderboots commented on GitHub (Jun 11, 2025):

<!-- gh-comment-id:2963762027 --> @alexunderboots commented on GitHub (Jun 11, 2025): +

kerem commented 2026-02-26 06:33:08 +03:00

Author

Owner

Copy link

@itzTheMeow commented on GitHub (Aug 26, 2025):

@jc21 is this something I am able to work on? I saw elsewhere you were redoing the frontend in react, would this interfere?

<!-- gh-comment-id:3222198532 --> @itzTheMeow commented on GitHub (Aug 26, 2025): @jc21 is this something I am able to work on? I saw elsewhere you were redoing the frontend in react, would this interfere?

kerem commented 2026-02-26 06:33:08 +03:00

Author

Owner

Copy link

@jc21 commented on GitHub (Aug 26, 2025):

Yeah it might interfere with the react rewrite. Given the explanation on #4525 wouldn't using a separate self-hosted CA be better? the only limitation is that this project doesn't properly support using a specific CA url in the certbot command on a per-certificate basis.

For example, in the test stack, I spin up StepCA container and PowerDNS when I request a cert for website.example.com it's able to issue a certificate locally. PowerDNS is only required for DNS01 certs. In order for this to work, these env vars are present:

LE_SERVER: 'https://ca.internal/acme/acme/directory'
REQUESTS_CA_BUNDLE: '/etc/ssl/certs/NginxProxyManager.crt'

If they could be defined on a per-certificate level in NPM, then you'd be set to provision your own stuff.

In my v3 prototype I was working on the principle of having CertificateAuthorities rows that would be selectable when requesting certs.

A little bit off topic but I know this q is going to come up: Instead of pumping a lot of effort finishing v3 I'm trying to backport concepts back into v2 slowly until it is eventually v3. The first thing is React.

<!-- gh-comment-id:3222220305 --> @jc21 commented on GitHub (Aug 26, 2025): Yeah it might interfere with the react rewrite. Given the explanation on #4525 wouldn't using a separate self-hosted CA be better? the only limitation is that this project doesn't properly support using a specific CA url in the certbot command on a per-certificate basis. For example, in the [test stack](https://github.com/NginxProxyManager/nginx-proxy-manager/blob/develop/docker/docker-compose.ci.yml), I spin up StepCA container and PowerDNS when I request a cert for `website.example.com` it's able to issue a certificate locally. PowerDNS is only required for DNS01 certs. In order for this to work, these env vars are present: ``` LE_SERVER: 'https://ca.internal/acme/acme/directory' REQUESTS_CA_BUNDLE: '/etc/ssl/certs/NginxProxyManager.crt' ``` If they could be defined on a per-certificate level in NPM, then you'd be set to provision your own stuff. In my v3 prototype I was working on the principle of having [CertificateAuthorities](https://github.com/NginxProxyManager/nginx-proxy-manager/blob/v3/backend/embed/migrations/postgres/20201013035318_initial_schema.sql#L69) rows that would be [selectable when requesting certs](https://github.com/NginxProxyManager/nginx-proxy-manager/blob/v3/backend/embed/migrations/postgres/20201013035839_initial_data.sql#L65). _A little bit off topic but I know this q is going to come up: Instead of pumping a lot of effort finishing v3 I'm trying to backport concepts back into v2 slowly until it is eventually v3. The first thing is React._

kerem commented 2026-02-26 06:33:08 +03:00

Author

Owner

Copy link

@itzTheMeow commented on GitHub (Aug 26, 2025):

The certificate authority table approach seems best. Currently the way I am generating certificates is using openssl, rather than a URL or ACME server.

openssl x509 -req -in example.internal.csr -CA exampleCA.pem -CAkey exampleCA.key \
  -CAcreateserial -out example.internal.crt -days 825 -sha256 -extfile example.internal.ext

<!-- gh-comment-id:3222350075 --> @itzTheMeow commented on GitHub (Aug 26, 2025): The certificate authority table approach seems best. Currently the way I am generating certificates is using openssl, rather than a URL or ACME server. ```bash openssl x509 -req -in example.internal.csr -CA exampleCA.pem -CAkey exampleCA.key \ -CAcreateserial -out example.internal.crt -days 825 -sha256 -extfile example.internal.ext ```

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

dependabot/npm_and_yarn/backend/liquidjs-10.25.7

dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987

dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41

dependabot/npm_and_yarn/backend/basic-ftp-5.3.0

dependabot/npm_and_yarn/test/follow-redirects-1.16.0

dependabot/npm_and_yarn/test/axios-1.15.0

dependabot/npm_and_yarn/frontend/lodash-4.18.1

dependabot/npm_and_yarn/backend/lodash-4.18.1

dependabot/npm_and_yarn/test/lodash-4.18.1

dependabot/npm_and_yarn/frontend/vite-7.3.2

dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21

dependabot/npm_and_yarn/frontend/lodash-es-4.18.1

dependabot/npm_and_yarn/frontend/happy-dom-20.8.9

dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0

dependabot/npm_and_yarn/frontend/picomatch-4.0.4

dependabot/npm_and_yarn/backend/picomatch-2.3.2

dependabot/npm_and_yarn/frontend/yaml-1.10.3

dependabot/npm_and_yarn/test/flatted-3.4.2

dependabot/npm_and_yarn/test/tar-7.5.11

dependabot/npm_and_yarn/frontend/immutable-5.1.5

master

dependabot/npm_and_yarn/test/glob-10.5.0

dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1

dependabot/npm_and_yarn/test/form-data-4.0.4

v3-abandoned

bump-freedns

openidc

ssl-passthrough-hosts

static-content

v2.14.0

v2.13.7

v2.13.6

v2.13.5

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.6

v2.12.5

v2.12.4

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.22

v2.9.21

v2.9.20

v2.9.19

v2.9.18

v2.9.17

v2.9.16

v2.9.15

v2.9.14

v2.9.13

v2.9.12

v2.9.11

v2.9.10

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.1

v2.8.0

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

2.0.14

2.0.13

2.0.12

2.0.11

2.0.10

2.0.9

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.0

v2.0.0

1.1.2

1.1.1

1.0.1

Labels

Clear labels   

awaiting feedback

  

bug

  

cannot reproduce

  

dns provider request

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

good first issue

  

help wanted

  

invalid

  

need more info

  

no certbot plugin available

  

product-support

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

troll

  

upstream issue

  

v2

  

v2

  

v2

  

v3

  

wontfix

No labels

awaiting feedback

bug

cannot reproduce

dns provider request

duplicate

enhancement

enhancement

enhancement

good first issue

help wanted

invalid

need more info

no certbot plugin available

product-support

pull-request

question

stale

troll

upstream issue

v2

v2

v2

v3

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#496

No description provided.