Math-Linux.com

Knowledge base dedicated to Linux and applied mathematics.

Home > Linux > Tip of the day > Generating a self-signed certificate using OpenSSL with Linux CentOs/RedHat (...)

Generating a self-signed certificate using OpenSSL with Linux CentOs/RedHat for Apache/httpd

All the versions of this article: <English> <français>

A little tutorial to show how we generate self-signed certificates. It’s now even easier with the Makefile provided by Linux CentOS / RedHat. I present here briefly how to generate a self-signed certificate. But before I will explain in practice how these certificates work.


How a certificate works

SSL or TLS its successor are protocols for securing internet exchanges. When you log on to your favorite site, for example, you can see that this protocol is enabled when there is a lock to the left of https: //. Your browser will send a secure login request to the website. The website responds by sending a browser certificate. This one contains a public key, site information (name, country, mail, etc.) and a digital signature. The browser will then try to verify the digital signature of the site certificate by using the public keys contained in the certificates of the Certificate Authorities (CA) integrated by default in the browser.
- * Case 1: one of them works, your browser then finds the name of the CA that signed the certificate sent by the server. It checks that it has not expired and sends a request to this authority to verify that the server certificate has not been revoked.
- ** Sub-case 1, the certificate has expired, a warning message appears telling you that the server identity has not been verified by a CA and may therefore potentially be a fraudulent site, Success anyway !!!
- ** Sub-case 2, the certificate is valid, Success !!!!
- * Case 2 none works, your browser attempts to verify the digital signature of the server certificate using the public key contained in it.
- ** Sub-case 1 Failed, the certificate is invalid, no connection possible.
- ** Sub-case 2 Success !!, the web server has itself signed its certificate. A warning message appears telling you that the server identity has not been verified by a CA and may potentially be a fraudulent site. This is the case that we will study through this article.

Then, your browser generates a session key via symmetric encryption using the public key contained in the certificate. Then, it passes this session key to the server. The server then decrypts the session key sent by your browser with its private key. Hence the interest of protecting this private key! The exchanges are initiated and you can navigate.

Generating a private key

[root@osboxes ~]# cd /etc/pki/tls/certs/
[root@osboxes certs]# make math-linux.key
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > math-linux.key
Generating RSA private key, 2048 bit long modulus
...........................................+++
............................+++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
[root@osboxes certs]# openssl rsa -in math-linux.key -out math-linux.key
Enter pass phrase for math-linux.key:
writing RSA key

Generate a Certificate Signing Request (CSR)

[root@osboxes certs]# make math-linux.csr
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key math-linux.key -out math-linux.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:FR
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:Paris
Organization Name (eg, company) [Default Company Ltd]:Math-Linux.com
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:math-linux.com
Email Address []:adm@math-linux.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Remove the passphrase

[root@osboxes certs]# openssl rsa -in math-linux.key -out math-linux.key

Generate a self-signed certificate

[root@osboxes certs]# openssl x509 -in math-linux.csr -out math-linux.crt -req -signkey math-linux.key -days 3650
Signature ok
subject=/C=FR/L=Paris/O=Math-Linux.com/CN=math-linux.com/emailAddress=adm@math-linux.com
Getting Private key
[root@osboxes certs]#

Configure Apache server / httpd

In the directory /etc/httpd or /etc/apache2 there must be a configuration file * ssl.conf or an environment dedicated to the configuration of ssl

The following command

[root@osboxes certs]# grep -iR SSLCertificateFile /etc/httpd/*
or
[root@osboxes certs]# grep -iR SSLCertificateFile /etc/apache*/*

will then determine the file. It will then be necessary to configure the apache server so that it can integrate the certificates which you have just generated:

<VirtualHost 192.168.0.1:443>
   DocumentRoot /var/www/html2
   ServerName www.math-linux.com
       SSLEngine on
       SSLCertificateFile /etc/pki/tls/certs/math-linux.crt
       SSLCertificateKeyFile /etc/pki/tls/certs/math-linux.key
</VirtualHost>

Also in this section

  1. Crontab : Scheduling Tasks
  2. Time a task: time
  3. Download music and videos .mp3, .wma, .avi, .mpg , divx with google
  4. How to change the MAC address on Linux
  5. Comment changer son adresse MAC sous Linux
  6. How to Convert Text File From ISO-8859-15 to UTF-8 Encoding
  7. SVN — How to ignore file or directory in subversion?
  8. How to setup SSH timeout in shell script ?
  9. phpMyAdmin: Search and Replace in MySQL database
  10. How to encrypt/decrypt a file or directory in Linux?
  11. Find list of options that python was compiled with
  12. Check/find version of numpy i’m using
  13. Speedup GNU make build and compilation process
  14. How to make a denial of a service with fork functions in BASH ?
  15. Find out biggest cpu/memory consuming processes with ps command
  16. Intel compilation for MIC architecture KNL Knights Landing
  17. GNU compilation for MIC architecture KNL Knights Landing
  18. Archiving and compressing data files tar
  19. Linux How to delete or remove printer from command line
  20. Linux How to connect to Windows with remote desktop RDP in CentOS 7 / RedHat 7
  21. SVN — Branch, Branching subversion howto
  22. How to diff remote files using ssh ?
  23. Generating a self-signed certificate using OpenSSL with Linux CentOs/RedHat for Apache/httpd