Generating a Self Signed SSL Certificate in RHEL/CentOS 7

1. Overview


The Secure Sockets Layer, SSL, is a cryptographic protocol used for securing a communication between users and a web server. The SSL certificate encrypt the data session traveling through the internet. A self singed certificates are free to use, but it is not trust by any browser.

In this instruction will guide you how to create a self signed certificate for Apache web server on CentOS 7 or RHEL 7.

2. Prerequisites


In this tutorial, it is supposed that:

a. You have already install RHEL/CentOS 7 Linux server up and running. In case that you don’t, you would probably like to read this link. Minimal RHEL/CentOS 7 Installation With Logical Volume Manager (LVM).
b. You have already done the initial server setup. Please refer to this link Minimal RHEL/CentOS 7 Initial Server Setup.

3. Generate a SSL Certificate

3.1 Generate a Key File


First of all, we need to create a new directory to store our private key and this directory must be kept strictly private, we have to modify the permissions to make sure only the root user has access.

# mkdir -p /etc/ssl/private/
# chmod -R 700 /etc/ssl/private/

Go into the directy /etc/ssl/private/ that we have just created and using openssl command to create the SSL key with pass phrase as the following.

# cd /etc/ssl/private/
# openssl genrsa -des3 -out 2048
Generating RSA private key, 2048 bit long modulus
e is 65537 (0x10001)
Enter pass phrase for
Verifying - Enter pass phrase for

Next, we need to remove pass phrase from private key that we have just generated by executing the following command.

# openssl rsa -in -out
Enter pass phrase for
writing RSA key

3.2 Generate a CSR File


After finished generating the private key, we need to generate the CSR file using the private key file created in the above step by using the following command.

# openssl req -new -days 3650 -key -out
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:KH
State or Province Name (full name) []:Cambodia
Locality Name (eg, city) [Default City]:Phnom Penh
Organization Name (eg, company) [Default Company Ltd]:Tech Space KH
Organizational Unit Name (eg, section) []:IT Infrastructure
Common Name (eg, your name or your server's hostname) []
Email Address []

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:P@ssword2017
An optional company name []:Tech Space KH

Finally, now we can generate the certificate file from the CSR file and the private key file that we created above by execute the following command.

# openssl x509 -in -out -req -signkey -days 3650
Signature ok
subject=/C=KH/ST=Cambodia/L=Phnom Penh/O=Tech Space KH/OU=IT Infrastructure/
Getting Private key

For security reason set the following permission for all files and create a symbolic links as the following.

# chmod 400*
# ln -s
# ln -s

# ll
total 12
-rw-r--r-- 1 root root 1391 Jun 19 14:42
-rw-r--r-- 1 root root 1171 Jun 19 14:39
-rw-r--r-- 1 root root 1675 Jun 19 14:30
lrwxrwxrwx 1 root root   19 Jun 19 14:49 ->
lrwxrwxrwx 1 root root   19 Jun 19 14:49 ->

After you had installed this certificate on Apache web server, we can view its information on the web browser as show in the picture below.

7. Conclusion


Having finished this article,  you should now be able to generated a self signed SSL certificate to be installed your Apache web server. Hopefully, you can find this instruction informative. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.