Mark Dain I've been playing around in OpenSSL all day and I finally got it to make a CA and a certificate. SSL labs seems happy aside from the untrusted root and "incomplete chain". Now I can sign certificates on the fly that all my devices will accept (including my phone)! Not sure how to solve the chain problem though.

🦿 Lucian Marin You simply have to do `cat yourdomain.crt ca.crt root.crt > ssl-bundle.crt` (in reverse order) then use ssl-bundle.crt as a chained certificate.

Mark Dain I tried that last night but nginx didn't like it and wouldn't start. Just tried it now and it seems to work!? I get an "A" (if trust issues are ignored). I didn't get this cert from a company, I created it in OpenSSL so I have no guidelines on how to do it properly. Ok, time to get an A+!