How to generate self signed certificate using openssl in Linux. Install SSL certificate CentOS 7. Install root certificate linux. Centos 7 certificate authority.  Where are certificates stored in Red Hat or centOS 7 Linux. Create self signed certificate in Red Hat Linux. Create self signed certificate CentOS 7. CentOS trust self signed certificate. Install SSL certificate Red Hat 7. Create self signed certificate Red Hat Linux or CentOS 7. openssl generate self signed certificate sha256 CentOS. Generate self signed certificate from CSR. Generate private key from CRT. Install SSL certificate Linux.

How to generate self signed certificate using openssl in Linux

I strongly recommend you to to first have an overview on PKI and all about Certificates before starting with the steps from this article to install ssl certificate. Now here I will share the steps to generate a self signed certificate using openssl on Red Hat / CentOS 7 Linux host.

 

Setting Up CA to Install SSL Certificate

I will be using CentOS 7 for the demonstration of the steps from this article but the same steps can be executed on Red Hat Linux 7 as well. Before we start with the steps to install ssl certificate, let us understand Certificate Authority. There are a number of free and commercial CA packages available to generate self signed certificates. The OpenSSL command-line tool even provides all of the functionality required to set up a minimal CA that can be used in a small organization.

I will show you

  • how to create a self signed certificate fi.e. install SSL certificate use by your Certificate Authority (CA),
  • how to build a configuration file that OpenSSL can use for your Certificate Authority (CA), and
  • how to issue certificates and CRLs with your Certificate Authority (CA).

 

Install openssl

The very first thing we need to install ssl certificate and to get a self signed certificate is to install openssl and it’s dependency rpms using yum command on your Red Hat or CentOS Linux host

[root@node3 ~]# yum -y install openssl

 

Environment for Your Certificate Authority

Within the CA’s root directory, we have two subdirectories i.e certs and private .

[root@node3 ~]# cd /etc/pki/CA/

Here certs will be used to keep copies of all of the certificates that we issue with our CA.
and private will be used to keep a copy of the CA certificate’s private key

[root@node3 tls]# ls
cert.pem  certs  misc  openssl.cnf  private

 

Building an OpenSSL Configuration File

We will make some minor changes to our /etc/pki/tls/openssl.cnf configuration file. Change the below file name syntax for the certificates we will create

[root@node2 tls]# vim openssl.cnf
certificate     = $dir/mycert.pem        # The CA certificate
crl             = $dir/mycrl.pem         # The current CRL
private_key     = $dir/private/mykey.pem # The private key

Besides key generation, we will create two files that our CA infrastructure will need.

The first file is used to keep track of the last serial number that was used to issue a certificate. It’s important that no two certificates ever be issued with the same serial number from the same Certificate Authority (CA). We’ll call this file serial and initialize it to contain the number 1. It expects the value to be in hex, and it must contain at least two digits, so we must pad the value by prepending a zero to it.

[root@node3 CA]# echo 01 > serial

The second file is a database of sorts that keeps track of the certificates that have been issued by the CA. Since no certificates have been issued at this point and OpenSSL requires that the file exist, we’ll simply create an empty file. We’ll call this file index.txt

[root@node3 tls]# cd /etc/pki/CA/
[root@node3 CA]# touch index.txt

 

Generate a Self Signed Certificate

To create self signed certificates, before we can begin issuing certificates with our Certificate Authority (CA), it needs a certificate of its own with which to sign the certificates that it issues. This certificate will also be used to sign any CRLs that are published. Any certificate that has the authority to sign certificates and CRLs will do.

Create the certificate and generate a new key pair to go along with it.

[root@node2 CA]# (umask 077; openssl genrsa -out private/myca.key -des3 2048)
Generating RSA private key, 2048 bit long modulus
..........................+++
...................................................................+++
e is 65537 (0x10001)
Enter pass phrase for private/myca.key:
Verifying - Enter pass phrase for private/myca.key:
[root@node2 CA]# (umask 077; openssl genrsa -out private/mykey.pem -des3 2048)
Generating RSA private key, 2048 bit long modulus
..................................+++
................................+++
e is 65537 (0x10001)
Enter pass phrase for private/mykey.pem:
Verifying - Enter pass phrase for private/mykey.pem:

When you run the command, OpenSSL prompts you twice to enter a passphrase to encrypt your private key. The key will be encrypted with 3DES, using a key derived from your passphrase.

IMPORTANT NOTE:
Remember that this private key is a very important key, so choose your passphrase accordingly. If this key is compromised, the integrity of your CA is compromised, which essentially means that any certificates issued, whether they were issued before the key was compromised or after, can no longer be trusted

 

Create Certificate Authority (CA)

[root@node2 CA]# openssl req -new -x509 -key private/mykey.pem -days 365 > mycert.pem
Enter pass phrase for private/mykey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:KARNATAKA
Locality Name (eg, city) [Default City]:BANGALORE
Organization Name (eg, company) [Default Company Ltd]:GoLinuxCloud
Organizational Unit Name (eg, section) []:TEST
Common Name (eg, your name or your server's hostname) []:node2.example.com
Email Address []:test2@example.com
[root@node2 CA]# (umask 077; openssl genrsa 1024 > serverkey.pem)
Generating RSA private key, 1024 bit long modulus
.................++++++
.........................++++++
e is 65537 (0x10001)

 

Issuing Certificates

Everything is now set up for our CA, and it’s time to take it out for a test drive by issuing a certificate. To do that, we need a certificate request.

The command to generate a certificate request is similar to the command we used to create our self-signed root certificate. We use the command-line tool’s req command, but we’ll need to specify some extra parameters.

[root@node2 CA]# (umask 077; openssl req -new -key serverkey.pem -out serverkey.csr)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:KARNATAKA
Locality Name (eg, city) [Default City]:BANGALORE
Organization Name (eg, company) [Default Company Ltd]:GoLinuxCloud
Organizational Unit Name (eg, section) []:TEST
Common Name (eg, your name or your server's hostname) []:node2.example.com
Email Address []: test2@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

And now we can verify the contents of the CSR.

[root@node2 CA]# openssl req -in serverkey.csr -noout -text
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=IN, ST=KARNATAKA, L=BANGALORE, O=GoLinuxCloud, OU=TEST, CN=node2.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:d0:07:fb:cc:ac:7a:21:ee:a3:66:ef:70:e5:77:
                    6c:be:f3:d3:61:e2:ed:5f:92:bc:35:fc:ba:64:c7:
                    c3:fa:dc:8b:8e:4a:7c:e9:de:d5:b3:05:09:26:b6:
                    0d:62:07:b8:ab:83:2b:b0:1b:d7:2d:81:ea:80:da:
                    12:76:e2:ec:30:5f:22:f1:30:7f:0e:ed:df:52:a1:
                    ec:30:9a:09:c9:cf:4d:3a:69:13:05:3b:a8:93:09:
                    4d:d1:72:76:fc:7f:64:0f:3a:52:b0:fe:86:0f:55:
                    31:b2:df:0a:d3:6b:96:e3:43:ac:34:e2:c7:34:39:
                    2a:91:52:5e:a7:54:3b:64:63
                Exponent: 65537 (0x10001)
        Attributes:
            challengePassword        :tmo46713
    Signature Algorithm: sha256WithRSAEncryption
         6d:45:28:c9:79:54:e4:ab:01:e4:13:3a:87:f8:1e:44:4b:56:
         4a:42:bc:4d:e1:3f:be:c9:2e:43:8b:cc:bc:14:52:9a:19:05:
         6f:cf:79:ca:dc:ad:25:a7:98:29:1e:bb:13:2f:21:09:0a:38:
         40:5c:2f:36:51:e2:dc:05:4a:b0:31:d2:af:48:23:a6:ee:3d:
         24:dd:fc:85:40:8d:a8:65:ff:c9:40:ce:7c:e9:cc:6a:6a:43:
         74:93:86:23:9f:32:2a:f0:1f:50:07:1f:99:7a:2b:22:3a:aa:
         32:ac:3a:47:22:83:d3:36:0a:18:58:c6:f5:be:d8:27:b0:f1:
         d8:c2

 

Signing the certificate

With a certificate request now in hand, we can use our CA to issue a self signed certificate.

[root@node2 CA]# openssl ca -in serverkey.csr -out servercert.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/mykey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Apr 16 21:31:29 2019 GMT
            Not After : Apr 15 21:31:29 2020 GMT
        Subject:
            countryName               = IN
            stateOrProvinceName       = KARNATAKA
            organizationName          = GoLinuxCloud
            organizationalUnitName    = TEST
            commonName                = node2.example.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                C1:8B:8B:C8:F2:3F:93:00:89:E7:D2:B9:18:B5:D7:65:2F:2E:7C:2D
            X509v3 Authority Key Identifier:
                keyid:A6:04:F5:9C:35:3F:1F:44:DE:E1:1C:BE:21:BA:DF:7C:F9:D5:75:16

Certificate is to be certified until Apr 15 21:31:29 2020 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

After the command has completed and the certificate has been issued, you should be able to see that information was added to the file index.txt, OpenSSL’s CA database.

[root@node3 CA]# cat index.txt
V       200415213129Z           01      unknown /C=IN/ST=KARNATAKA/O=GoLinuxCloud/OU=TEST/CN=node2.example.com

Finally, you should be able to see that the serial number in the file serial was incremented. When you look at the text dump of the certificate that was created, you’ll notice that it was assigned a serial number of “1”, the number that we used to seed the serial number file.

[root@node3 CA]# cat serial
02

So now normally you would create a server directory in /etc/pki and copy the key as well as the certificate to the directory

[root@node2 CA]# mkdir /etc/pki/server
[root@node2 CA]# cp servercert.pem /etc/pki/server/
[root@node2 CA]# cp serverkey.csr /etc/pki/server/
[root@node2 CA]# mkdir /etc/pki/private
[root@node2 CA]# cp serverkey.csr /etc/pki/private/
[root@node2 CA]# cp serverkey.pem /etc/pki/private/

And now that we’ve got the server keys and the server certificate in the correct location, you can do anything you want with it, like configuring an Apache TLS secured house to use this certificate.

[root@node2 CA]# ls -l /etc/pki/server/
total 8
-rw-r--r-- 1 root root 3770 Apr 17 03:02 servercert.pem
-rw------- 1 root root  704 Apr 17 03:02 serverkey.csr

[root@node2 CA]# ls -l /etc/pki/private/
total 8
-rw------- 1 root root 704 Apr 17 03:03 serverkey.csr
-rw------- 1 root root 887 Apr 17 03:03 serverkey.pem

 

References;
Network Security with OpenSSL

 

Lastly I hope the steps from the article to generate self signed certificates and install ssl certificates using openssl on Linux was helpful. So, let me know your suggestions and feedback using the comment section.

Leave a Reply

Your email address will not be published. Required fields are marked *