Knowledge base dedicated to Linux and applied mathematics.
All the versions of this article: <English> <français>
A little tutorial to show how we generate self-signed certificates. It’s now even easier with the Makefile provided by Linux CentOS / RedHat. I present here briefly how to generate a self-signed certificate. But before I will explain in practice how these certificates work.
SSL or TLS its successor are protocols for securing internet exchanges. When you log on to your favorite site, for example, you can see that this protocol is enabled when there is a lock to the left of https: //. Your browser will send a secure login request to the website. The website responds by sending a browser certificate. This one contains a public key, site information (name, country, mail, etc.) and a digital signature. The browser will then try to verify the digital signature of the site certificate by using the public keys contained in the certificates of the Certificate Authorities (CA) integrated by default in the browser.
– * Case 1: one of them works, your browser then finds the name of the CA that signed the certificate sent by the server. It checks that it has not expired and sends a request to this authority to verify that the server certificate has not been revoked.
– ** Sub-case 1, the certificate has expired, a warning message appears telling you that the server identity has not been verified by a CA and may therefore potentially be a fraudulent site, Success anyway !!!
– ** Sub-case 2, the certificate is valid, Success !!!!
– * Case 2 none works, your browser attempts to verify the digital signature of the server certificate using the public key contained in it.
– ** Sub-case 1 Failed, the certificate is invalid, no connection possible.
– ** Sub-case 2 Success !!, the web server has itself signed its certificate. A warning message appears telling you that the server identity has not been verified by a CA and may potentially be a fraudulent site. This is the case that we will study through this article.
Then, your browser generates a session key via symmetric encryption using the public key contained in the certificate. Then, it passes this session key to the server. The server then decrypts the session key sent by your browser with its private key. Hence the interest of protecting this private key! The exchanges are initiated and you can navigate.
[root@osboxes ~]# cd /etc/pki/tls/certs/ [root@osboxes certs]# make math-linux.key umask 77 ; \ /usr/bin/openssl genrsa -aes128 2048 > math-linux.key Generating RSA private key, 2048 bit long modulus ...........................................+++ ............................+++ e is 65537 (0x10001) Enter pass phrase: Verifying - Enter pass phrase: [root@osboxes certs]# openssl rsa -in math-linux.key -out math-linux.key Enter pass phrase for math-linux.key: writing RSA key
[root@osboxes certs]# make math-linux.csr umask 77 ; \ /usr/bin/openssl req -utf8 -new -key math-linux.key -out math-linux.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:FR State or Province Name (full name) : Locality Name (eg, city) [Default City]:Paris Organization Name (eg, company) [Default Company Ltd]:Math-Linux.com Organizational Unit Name (eg, section) : Common Name (eg, your name or your server's hostname) :math-linux.com Email Address :firstname.lastname@example.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
[root@osboxes certs]# openssl rsa -in math-linux.key -out math-linux.key
[root@osboxes certs]# openssl x509 -in math-linux.csr -out math-linux.crt -req -signkey math-linux.key -days 3650 Signature ok subject=/C=FR/L=Paris/O=Math-Linux.com/CN=math-linux.com/emailAddressemail@example.com Getting Private key [root@osboxes certs]#
In the directory /etc/httpd or /etc/apache2 there must be a configuration file * ssl.conf or an environment dedicated to the configuration of ssl
The following command
[root@osboxes certs]# grep -iR SSLCertificateFile /etc/httpd/* or [root@osboxes certs]# grep -iR SSLCertificateFile /etc/apache*/*
will then determine the file. It will then be necessary to configure the apache server so that it can integrate the certificates which you have just generated:
<VirtualHost 192.168.0.1:443> DocumentRoot /var/www/html2 ServerName www.math-linux.com SSLEngine on SSLCertificateFile /etc/pki/tls/certs/math-linux.crt SSLCertificateKeyFile /etc/pki/tls/certs/math-linux.key </VirtualHost>