One liner OpenSSL Self-Signed Certificate? Yes, please
$ openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -keyout hixxxxxxxx.onion.key -out hixxxxxxxx.onion.crt
Stick it in your nginx configuration.
SSL Stapling not required because it's self-signed. So, it's commented.
ssl_certificate /etc/ssl/certs/hixxxxxxxx.onion.crt ;
ssl_certificate_key /etc/ssl/private/hixxxxxxxx.onion.key ;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2;
ssl_ecdh_curve secp384r1;
ssl_session_timeout 10m;
ssl_session_tickets off;
#ssl_stapling on;
#ssl_stapling_verify on;
#ssl_trusted_certificate /etc/blah/blah/blah.pem;
resolver 127.0.0.1 8.8.8.8 valid=300s;
resolver_timeout 2s;
We're good to go.