Generating a Self Signed SSL Certificate in RHEL/CentOS 7

1. Overview

 

The Secure Sockets Layer, SSL, is a cryptographic protocol used for securing a communication between users and a web server. The SSL certificate encrypt the data session traveling through the internet. A self singed certificates are free to use, but it is not trust by any browser.

In this instruction will guide you how to create a self signed certificate for Apache web server on CentOS 7 or RHEL 7.

2. Prerequisites

 

In this tutorial, it is supposed that:

a. You have already install RHEL/CentOS 7 Linux server up and running. In case that you don’t, you would probably like to read this link. Minimal RHEL/CentOS 7 Installation With Logical Volume Manager (LVM).
b. You have already done the initial server setup. Please refer to this link Minimal RHEL/CentOS 7 Initial Server Setup.

3. Generate a SSL Certificate

3.1 Generate a Key File

 

First of all, we need to create a new directory to store our private key and this directory must be kept strictly private, we have to modify the permissions to make sure only the root user has access.

# mkdir -p /etc/ssl/private/techspacekh.com
# chmod -R 700 /etc/ssl/private/techspacekh.com

Go into the directy /etc/ssl/private/techspacekh.com that we have just created and using openssl command to create the SSL key with pass phrase as the following.

# cd /etc/ssl/private/techspacekh.com
# openssl genrsa -des3 -out techspacekh.com.key 2048
Generating RSA private key, 2048 bit long modulus
............+++
...............+++
e is 65537 (0x10001)
Enter pass phrase for techspacekh.com.key:
Verifying - Enter pass phrase for techspacekh.com.key:

Next, we need to remove pass phrase from private key that we have just generated by executing the following command.

# openssl rsa -in techspacekh.com.key -out techspacekh.com.key
Enter pass phrase for techspacekh.com.key:
writing RSA key

3.2 Generate a CSR File

 

After finished generating the private key, we need to generate the CSR file using the private key file created in the above step by using the following command.

# openssl req -new -days 3650 -key techspacekh.com.key -out techspacekh.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:KH
State or Province Name (full name) []:Cambodia
Locality Name (eg, city) [Default City]:Phnom Penh
Organization Name (eg, company) [Default Company Ltd]:Tech Space KH
Organizational Unit Name (eg, section) []:IT Infrastructure
Common Name (eg, your name or your server's hostname) []:techspacekh.com
Email Address []:sysadmin@techspacekh.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:P@ssword2017
An optional company name []:Tech Space KH

Finally, now we can generate the certificate file from the CSR file and the private key file that we created above by execute the following command.

# openssl x509 -in techspacekh.com.csr -out techspacekh.com.crt -req -signkey techspacekh.com.key -days 3650
Signature ok
subject=/C=KH/ST=Cambodia/L=Phnom Penh/O=Tech Space KH/OU=IT Infrastructure/CN=techspacekh.com/emailAddress=sysadmin@techspacekh.com
Getting Private key

For security reason set the following permission for all files and create a symbolic links as the following.

# chmod 400 techspacekh.com.*
# ln -s techspacekh.com.key web01.techspacekh.com.key
# ln -s techspacekh.com.crt web01.techspacekh.com.crt

# ll
total 12
-rw-r--r-- 1 root root 1391 Jun 19 14:42 techspacekh.com.crt
-rw-r--r-- 1 root root 1171 Jun 19 14:39 techspacekh.com.csr
-rw-r--r-- 1 root root 1675 Jun 19 14:30 techspacekh.com.key
lrwxrwxrwx 1 root root   19 Jun 19 14:49 web01.techspacekh.com.crt -> techspacekh.com.crt
lrwxrwxrwx 1 root root   19 Jun 19 14:49 web01.techspacekh.com.key -> techspacekh.com.key

After you had installed this certificate on Apache web server, we can view its information on the web browser as show in the picture below.

7. Conclusion

 

Having finished this article,  you should now be able to generated a self signed SSL certificate to be installed your Apache web server. Hopefully, you can find this instruction informative. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.

Comments

comments