UPDATE - March 2018
The instructions below are now obsolete. There is now a Option within Emby Server > Advanced to automatically configure Emby to advterise itself at HTTPS when going through a Reverse Proxy.
Secure Connection mode needs to be set to 'Handled By Reverse Proxy'
OLD Method Below
If you run Emby behind NGINX, then you would normally Connect to NGINX with HTTPS then NGINX will forward the request over your LAN using HTTP. This prevents double de-crypt/encrypt which uses more CPU cycles.
However if you use Emby Connect or Alexa for Emby then you will probably have noticed that on the Emby Server Dashboard is displays your external connection as HTTP and using port 80, which means Alexa wont work as it requires HTTPS on port 443.
So rather than create a double de-crypt/encrypt scenario we can edit the Emby system.xml file which fakes emby into advertising its external connections on HTTPS and port 443.
First we do need to create a real .pfx cert with a password. There are 2 ways to create a SSL cert:-
Once you have that. Head over to your Emby Dashboard and go to Advanced.
Change your settings like the image below
Public HTTP - 80 Public HTTPS - 443 External Domain - your emby subdomain SSL Certificate - point it to your .pfx Certificate password - your .pfx password Require HTTPS - UNTICKED!
Save and Restart Emby.
Now head to your emby server install location. Normally on windows its C:\Users\%username%\AppData\Roaming\Emby-Server\config
open up system.xml in notepad or notepad++ and look for the line
change false to true
save and then restart emby again.
Your emby dashboard should now be advertising https:// on port 443.