Generating a self-signed certificate using OpenSSL with Linux CentOs/RedHat for Apache/httpd
A little tutorial to show how we generate self-signed certificates. It’s now even easier with the Makefile provided by Linux CentOS / RedHat. I present here briefly how to generate a self-signed certificate. But before I will explain in practice how these certificates work.
How a certificate works
SSL or TLS its successor are protocols for securing internet exchanges. When you log on to your favorite site, for example, you can see that this protocol is enabled when there is a lock to the left of https: //. Your browser will send a secure login request to the website. The website responds by sending a browser certificate. This one contains a public key, site information (name, country, mail, etc.) and a digital signature. The browser will then try to verify the digital signature of the site certificate by using the public keys contained in the certificates of the Certificate Authorities (CA) integrated by default in the browser.
- Case 1: one of them works, your browser then finds the name of the CA that signed the certificate sent by the server. It checks that it has not expired and sends a request to this authority to verify that the server certificate has not been revoked.
- Sub-case 1, the certificate has expired, a warning message appears telling you that the server identity has not been verified by a CA and may therefore potentially be a fraudulent site, Success anyway !!!
- Sub-case 2, the certificate is valid, Success !!!!
- Case 2 none works, your browser attempts to verify the digital signature of the server certificate using the public key contained in it.
- Sub-case 1 Failed, the certificate is invalid, no connection possible.
- Sub-case 2 Success !!, the web server has itself signed its certificate. A warning message appears telling you that the server identity has not been verified by a CA and may potentially be a fraudulent site. This is the case that we will study through this article.
Then, your browser generates a session key via symmetric encryption using the public key contained in the certificate. Then, it passes this session key to the server. The server then decrypts the session key sent by your browser with its private key. Hence the interest of protecting this private key! The exchanges are initiated and you can navigate.
Generating a private key
[root@osboxes ~]# cd /etc/pki/tls/certs/
[root@osboxes certs]# make math-linux.key
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > math-linux.key
Generating RSA private key, 2048 bit long modulus
...........................................+++
............................+++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
[root@osboxes certs]# openssl rsa -in math-linux.key -out math-linux.key
Enter pass phrase for math-linux.key:
writing RSA keyGenerate a Certificate Signing Request (CSR)
[root@osboxes certs]# make math-linux.csr
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key math-linux.key -out math-linux.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:FR
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:Paris
Organization Name (eg, company) [Default Company Ltd]:Math-Linux.com
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:math-linux.com
Email Address []:adm@math-linux.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:Remove the passphrase
[root@osboxes certs]# openssl rsa -in math-linux.key -out math-linux.keyGenerate a self-signed certificate
[root@osboxes certs]# openssl x509 -in math-linux.csr -out math-linux.crt -req -signkey math-linux.key -days 3650
Signature ok
subject=/C=FR/L=Paris/O=Math-Linux.com/CN=math-linux.com/emailAddress=adm@math-linux.com
Getting Private key
[root@osboxes certs]# Configure Apache server / httpd
In the directory /etc/httpd or /etc/apache2 there must be a configuration file * ssl.conf or an environment dedicated to the configuration of ssl
The following command
[root@osboxes certs]# grep -iR SSLCertificateFile /etc/httpd/*
or
[root@osboxes certs]# grep -iR SSLCertificateFile /etc/apache*/*will then determine the file. It will then be necessary to configure the apache server so that it can integrate the certificates which you have just generated:
<VirtualHost 192.168.0.1:443>
DocumentRoot /var/www/html2
ServerName www.math-linux.com
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/math-linux.crt
SSLCertificateKeyFile /etc/pki/tls/certs/math-linux.key
</VirtualHost>If you found this post or this website helpful and would like to support our work, please consider making a donation. Thank you!
Help UsArticles in the same category
- Time a task: time
- SVN -- How to ignore file or directory in subversion?
- SVN -- Branch, Branching subversion howto
- Speedup GNU make build and compilation process
- phpMyAdmin: Search and Replace in MySQL database
- Linux How to delete or remove printer from command line
- Linux How to connect to Windows with remote desktop RDP in CentOS 7 / RedHat 7
- Intel compilation for MIC architecture KNL Knights Landing
- How to setup SSH timeout in shell script ?
- How to make a denial of a service with fork functions in BASH ?
- How to encrypt/decrypt a file or directory in Linux?
- How to diff remote files using ssh ?
- How to Convert Text File From ISO-8859-15 to UTF-8 Encoding
- How to change the MAC address on Linux
- Got permission denied while trying to connect to the Docker daemon socket
- GNU compilation for MIC architecture KNL Knights Landing
- Generating a self-signed certificate using OpenSSL with Linux CentOs/RedHat for Apache/httpd
- Find out biggest cpu/memory consuming processes with ps command
- Find list of options that python was compiled with
- Download music and videos .mp3, .wma, .avi, .mpg , divx with google
- Crontab : Scheduling Tasks
- Comment changer son adresse MAC sous Linux
- Check/find version of numpy i'm using
- Archiving and compressing data files tar
- Linux - Tip of the day