The Secure Sockets Layer, SSL, is a cryptographic protocol used for securing a communication between users and a web server. The SSL certificate encrypt the data session traveling through the internet. A self singed certificates are free to use, but it is not trust by any browser.
In this instruction will guide you how to create a self signed certificate for Apache web server on CentOS 7 or RHEL 7.
In this tutorial, it is supposed that:
a. You have already install RHEL/CentOS 7 Linux server up and running. In case that you don’t, you would probably like to read this link. Minimal RHEL/CentOS 7 Installation With Logical Volume Manager (LVM).
b. You have already done the initial server setup. Please refer to this link Minimal RHEL/CentOS 7 Initial Server Setup.
3. Generate a SSL Certificate
3.1 Generate a Key File
First of all, we need to create a new directory to store our private key and this directory must be kept strictly private, we have to modify the permissions to make sure only the root user has access.
# mkdir -p /etc/ssl/private/techspacekh.com # chmod -R 700 /etc/ssl/private/techspacekh.com
Go into the directy /etc/ssl/private/techspacekh.com that we have just created and using openssl command to create the SSL key with pass phrase as the following.
# cd /etc/ssl/private/techspacekh.com # openssl genrsa -des3 -out techspacekh.com.key 2048 Generating RSA private key, 2048 bit long modulus ............+++ ...............+++ e is 65537 (0x10001) Enter pass phrase for techspacekh.com.key: Verifying - Enter pass phrase for techspacekh.com.key:
Next, we need to remove pass phrase from private key that we have just generated by executing the following command.
# openssl rsa -in techspacekh.com.key -out techspacekh.com.key Enter pass phrase for techspacekh.com.key: writing RSA key
3.2 Generate a CSR File
After finished generating the private key, we need to generate the CSR file using the private key file created in the above step by using the following command.
# openssl req -new -days 3650 -key techspacekh.com.key -out techspacekh.com.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:KH State or Province Name (full name) :Cambodia Locality Name (eg, city) [Default City]:Phnom Penh Organization Name (eg, company) [Default Company Ltd]:Tech Space KH Organizational Unit Name (eg, section) :IT Infrastructure Common Name (eg, your name or your server's hostname) :techspacekh.com Email Address :email@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password :P@ssword2017 An optional company name :Tech Space KH
Finally, now we can generate the certificate file from the CSR file and the private key file that we created above by execute the following command.
# openssl x509 -in techspacekh.com.csr -out techspacekh.com.crt -req -signkey techspacekh.com.key -days 3650 Signature ok subject=/C=KH/ST=Cambodia/L=Phnom Penh/O=Tech Space KH/OU=IT Infrastructure/CN=techspacekh.com/emailAddressfirstname.lastname@example.org Getting Private key
For security reason set the following permission for all files and create a symbolic links as the following.
# chmod 400 techspacekh.com.* # ln -s techspacekh.com.key web01.techspacekh.com.key # ln -s techspacekh.com.crt web01.techspacekh.com.crt # ll total 12 -rw-r--r-- 1 root root 1391 Jun 19 14:42 techspacekh.com.crt -rw-r--r-- 1 root root 1171 Jun 19 14:39 techspacekh.com.csr -rw-r--r-- 1 root root 1675 Jun 19 14:30 techspacekh.com.key lrwxrwxrwx 1 root root 19 Jun 19 14:49 web01.techspacekh.com.crt -> techspacekh.com.crt lrwxrwxrwx 1 root root 19 Jun 19 14:49 web01.techspacekh.com.key -> techspacekh.com.key
After you had installed this certificate on Apache web server, we can view its information on the web browser as show in the picture below.
Having finished this article, you should now be able to generated a self signed SSL certificate to be installed your Apache web server. Hopefully, you can find this instruction informative. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.