How to generate self signed certificate using openssl in Linux. Install SSL certificate CentOS 7. Install root certificate linux. Centos 7 certificate authority. Where are certificates stored in Red Hat or centOS 7 Linux. Create self signed certificate in Red Hat Linux. Create self signed certificate CentOS 7. CentOS trust self signed certificate. Install SSL certificate Red Hat 7. Create self signed certificate Red Hat Linux or CentOS 7. openssl generate self signed certificate sha256 CentOS. Generate self signed certificate from CSR. Generate private key from CRT. Install SSL certificate Linux.
I strongly recommend you to to first have an overview on PKI and all about Certificates before starting with the steps from this article to install ssl certificate. Now here I will share the steps to generate a self signed certificate using openssl on Red Hat / CentOS 7 Linux host.
Setting Up CA to Install SSL Certificate
I will be using CentOS 7 for the demonstration of the steps from this article but the same steps can be executed on Red Hat Linux 7 as well. Before we start with the steps to install ssl certificate, let us understand Certificate Authority. There are a number of free and commercial CA packages available to generate self signed certificates. The OpenSSL command-line tool even provides all of the functionality required to set up a minimal CA that can be used in a small organization.
I will show you
- how to create a self signed certificate fi.e. install SSL certificate use by your Certificate Authority (CA),
- how to build a configuration file that OpenSSL can use for your Certificate Authority (CA), and
- how to issue certificates and CRLs with your Certificate Authority (CA).
The very first thing we need to install ssl certificate and to get a self signed certificate is to install
openssl and it’s dependency rpms using
yum command on your Red Hat or CentOS Linux host
[root@node3 ~]# yum -y install openssl
Environment for Your Certificate Authority
Within the CA’s root directory, we have two subdirectories i.e
[root@node3 ~]# cd /etc/pki/CA/
Here certs will be used to keep copies of all of the certificates that we issue with our CA.
and private will be used to keep a copy of the CA certificate’s private key
[root@node3 tls]# ls cert.pem certs misc openssl.cnf private
Building an OpenSSL Configuration File
We will make some minor changes to our
/etc/pki/tls/openssl.cnf configuration file. Change the below file name syntax for the certificates we will create
[root@node2 tls]# vim openssl.cnf certificate = $dir/mycert.pem # The CA certificate crl = $dir/mycrl.pem # The current CRL private_key = $dir/private/mykey.pem # The private key
Besides key generation, we will create two files that our CA infrastructure will need.
The first file is used to keep track of the last serial number that was used to issue a certificate. It’s important that no two certificates ever be issued with the same serial number from the same Certificate Authority (CA). We’ll call this file serial and initialize it to contain the number 1. It expects the value to be in hex, and it must contain at least two digits, so we must pad the value by prepending a zero to it.
[root@node3 CA]# echo 01 > serial
The second file is a database of sorts that keeps track of the certificates that have been issued by the CA. Since no certificates have been issued at this point and OpenSSL requires that the file exist, we’ll simply create an empty file. We’ll call this file
[root@node3 tls]# cd /etc/pki/CA/ [root@node3 CA]# touch index.txt
Generate a Self Signed Certificate
To create self signed certificates, before we can begin issuing certificates with our Certificate Authority (CA), it needs a certificate of its own with which to sign the certificates that it issues. This certificate will also be used to sign any CRLs that are published. Any certificate that has the authority to sign certificates and CRLs will do.
Create the certificate and generate a new key pair to go along with it.
[root@node2 CA]# (umask 077; openssl genrsa -out private/myca.key -des3 2048) Generating RSA private key, 2048 bit long modulus ..........................+++ ...................................................................+++ e is 65537 (0x10001) Enter pass phrase for private/myca.key: Verifying - Enter pass phrase for private/myca.key:
[root@node2 CA]# (umask 077; openssl genrsa -out private/mykey.pem -des3 2048) Generating RSA private key, 2048 bit long modulus ..................................+++ ................................+++ e is 65537 (0x10001) Enter pass phrase for private/mykey.pem: Verifying - Enter pass phrase for private/mykey.pem:
When you run the command, OpenSSL prompts you twice to enter a passphrase to encrypt your private key. The key will be encrypted with 3DES, using a key derived from your passphrase.
Create Certificate Authority (CA)
[root@node2 CA]# openssl req -new -x509 -key private/mykey.pem -days 365 > mycert.pem Enter pass phrase for private/mykey.pem: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:IN State or Province Name (full name) :KARNATAKA Locality Name (eg, city) [Default City]:BANGALORE Organization Name (eg, company) [Default Company Ltd]:GoLinuxCloud Organizational Unit Name (eg, section) :TEST Common Name (eg, your name or your server's hostname) :node2.example.com Email Address :email@example.com [root@node2 CA]# (umask 077; openssl genrsa 1024 > serverkey.pem) Generating RSA private key, 1024 bit long modulus .................++++++ .........................++++++ e is 65537 (0x10001)
Everything is now set up for our CA, and it’s time to take it out for a test drive by issuing a certificate. To do that, we need a certificate request.
The command to generate a certificate request is similar to the command we used to create our self-signed root certificate. We use the command-line tool’s req command, but we’ll need to specify some extra parameters.
[root@node2 CA]# (umask 077; openssl req -new -key serverkey.pem -out serverkey.csr) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:IN State or Province Name (full name) :KARNATAKA Locality Name (eg, city) [Default City]:BANGALORE Organization Name (eg, company) [Default Company Ltd]:GoLinuxCloud Organizational Unit Name (eg, section) :TEST Common Name (eg, your name or your server's hostname) :node2.example.com Email Address : firstname.lastname@example.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
And now we can verify the contents of the CSR.
[root@node2 CA]# openssl req -in serverkey.csr -noout -text Certificate Request: Data: Version: 0 (0x0) Subject: C=IN, ST=KARNATAKA, L=BANGALORE, O=GoLinuxCloud, OU=TEST, CN=node2.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:d0:07:fb:cc:ac:7a:21:ee:a3:66:ef:70:e5:77: 6c:be:f3:d3:61:e2:ed:5f:92:bc:35:fc:ba:64:c7: c3:fa:dc:8b:8e:4a:7c:e9:de:d5:b3:05:09:26:b6: 0d:62:07:b8:ab:83:2b:b0:1b:d7:2d:81:ea:80:da: 12:76:e2:ec:30:5f:22:f1:30:7f:0e:ed:df:52:a1: ec:30:9a:09:c9:cf:4d:3a:69:13:05:3b:a8:93:09: 4d:d1:72:76:fc:7f:64:0f:3a:52:b0:fe:86:0f:55: 31:b2:df:0a:d3:6b:96:e3:43:ac:34:e2:c7:34:39: 2a:91:52:5e:a7:54:3b:64:63 Exponent: 65537 (0x10001) Attributes: challengePassword :tmo46713 Signature Algorithm: sha256WithRSAEncryption 6d:45:28:c9:79:54:e4:ab:01:e4:13:3a:87:f8:1e:44:4b:56: 4a:42:bc:4d:e1:3f:be:c9:2e:43:8b:cc:bc:14:52:9a:19:05: 6f:cf:79:ca:dc:ad:25:a7:98:29:1e:bb:13:2f:21:09:0a:38: 40:5c:2f:36:51:e2:dc:05:4a:b0:31:d2:af:48:23:a6:ee:3d: 24:dd:fc:85:40:8d:a8:65:ff:c9:40:ce:7c:e9:cc:6a:6a:43: 74:93:86:23:9f:32:2a:f0:1f:50:07:1f:99:7a:2b:22:3a:aa: 32:ac:3a:47:22:83:d3:36:0a:18:58:c6:f5:be:d8:27:b0:f1: d8:c2
Signing the certificate
With a certificate request now in hand, we can use our CA to issue a self signed certificate.
[root@node2 CA]# openssl ca -in serverkey.csr -out servercert.pem Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/mykey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Apr 16 21:31:29 2019 GMT Not After : Apr 15 21:31:29 2020 GMT Subject: countryName = IN stateOrProvinceName = KARNATAKA organizationName = GoLinuxCloud organizationalUnitName = TEST commonName = node2.example.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: C1:8B:8B:C8:F2:3F:93:00:89:E7:D2:B9:18:B5:D7:65:2F:2E:7C:2D X509v3 Authority Key Identifier: keyid:A6:04:F5:9C:35:3F:1F:44:DE:E1:1C:BE:21:BA:DF:7C:F9:D5:75:16 Certificate is to be certified until Apr 15 21:31:29 2020 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
After the command has completed and the certificate has been issued, you should be able to see that information was added to the file
index.txt, OpenSSL’s CA database.
[root@node3 CA]# cat index.txt V 200415213129Z 01 unknown /C=IN/ST=KARNATAKA/O=GoLinuxCloud/OU=TEST/CN=node2.example.com
Finally, you should be able to see that the serial number in the file serial was incremented. When you look at the text dump of the certificate that was created, you’ll notice that it was assigned a serial number of “1”, the number that we used to seed the serial number file.
[root@node3 CA]# cat serial 02
So now normally you would create a server directory in
/etc/pki and copy the key as well as the certificate to the directory
[root@node2 CA]# mkdir /etc/pki/server [root@node2 CA]# cp servercert.pem /etc/pki/server/ [root@node2 CA]# cp serverkey.csr /etc/pki/server/
[root@node2 CA]# mkdir /etc/pki/private [root@node2 CA]# cp serverkey.csr /etc/pki/private/ [root@node2 CA]# cp serverkey.pem /etc/pki/private/
And now that we’ve got the server keys and the server certificate in the correct location, you can do anything you want with it, like configuring an Apache TLS secured house to use this certificate.
[root@node2 CA]# ls -l /etc/pki/server/ total 8 -rw-r--r-- 1 root root 3770 Apr 17 03:02 servercert.pem -rw------- 1 root root 704 Apr 17 03:02 serverkey.csr [root@node2 CA]# ls -l /etc/pki/private/ total 8 -rw------- 1 root root 704 Apr 17 03:03 serverkey.csr -rw------- 1 root root 887 Apr 17 03:03 serverkey.pem
Network Security with OpenSSL
Lastly I hope the steps from the article to generate self signed certificates and install ssl certificates using openssl on Linux was helpful. So, let me know your suggestions and feedback using the comment section.