Table of Contents
In this article, I will take you through the steps to create a self signed certificate using openssl commands on Linux(RedHat CentOS 7/8). It is very important to secure your data before putting it on Public Network so that anyone cannot access it. Installing a SSL Certificate is the way through which you can secure your data.
To install a certificate you need to generate it first. This can be done by multiple ways. In this article, we will only look into the steps on How to create a self signed certificate so that we can install it later on in any of our webserver. Usually Certificates are signed by Certificate Authority but in the case where you are doing testing internally then it is a good idea to create a self signed certificate as buying the certificate from trusted CA(Certificate Authority) might involve significant cost.
What is SSL Certificate
SSL Certificate is Known as Secure Socker Layer Digital certificate responsible to encrypting communication between Server and Client to provide security and safety to the User’s Critical Data.
Why Self Signed Certificate
You can easily create a self signed certificate from any of the Linux Based System by using only openssl commands. It is also free of cost and generally used for testing purposes inside a Network.
Different types of SSL Certificates
Depends on your cost, requirement, validity time period and security features you can buy different Kind of SSL Certificates. Some of them are mentioned below.
a)DV(Domain Validation) Certificate
b)OV(Organization Validation) Certificate
c)EV(Extended Validation) Certificate
d)Wildcard Certificate
e)Multi Domain SSL Certificate
f)Unified Domain Certificate
Create a Self Signed Certificate
Also Read: Openssl Tutorial : Generate and Install Certificate on Apache Server in 8 Easy Steps
1. Update Your System
First you need to update your System packages using yum update -y
command as shown below.
[root@localhost ~]# yum update -y Loaded plugins: fastestmirror Determining fastest mirrors * base: mirrors.piconets.webwerks.in * extras: mirrors.piconets.webwerks.in * updates: mirrors.piconets.webwerks.in base | 3.6 kB 00:00:00 extras | 2.9 kB 00:00:00 updates | 2.9 kB 00:00:00 (1/4): base/7/x86_64/group_gz | 165 kB 00:00:00 (2/4): extras/7/x86_64/primary_db | 165 kB 00:00:00 (3/4): updates/7/x86_64/primary_db | 7.6 MB 00:00:03 (4/4): base/7/x86_64/primary_db | 6.0 MB 00:00:04 Resolving Dependencies --> Running transaction check ---> Package GeoIP.x86_64 0:1.5.0-13.el7 will be updated ---> Package GeoIP.x86_64 0:1.5.0-14.el7 will be an update --> Processing Dependency: geoipupdate for package: GeoIP-1.5.0-14.el7.x86_64 ---> Package NetworkManager.x86_64 1:1.12.0-6.el7 will be updated ---> Package NetworkManager.x86_64 1:1.18.0-5.el7_7.2 will be an update ---> Package NetworkManager-libnm.x86_64 1:1.12.0-6.el7 will be updated ---> Package NetworkManager-libnm.x86_64 1:1.18.0-5.el7_7.2 will be an update
NOTE:
root
user. You can use any user with sudo access to run all these commands. You can check Step by Step: How to add User into Sudoers to know more about providing sudo access to the Users.2. Install Openssl Package
After updating the packages in your server you need to install openssl package using yum install -y openssl
command as shown below. In most of the Linux systems you can find openssl installed by default as you can check below. In our system also it is already installed.
[root@localhost ~]# yum install -y openssl Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.piconets.webwerks.in * extras: mirrors.piconets.webwerks.in * updates: mirrors.piconets.webwerks.in Package 1:openssl-1.0.2k-19.el7.x86_64 already installed and latest version Nothing to do
3. Create a Private Key using openssl commands
You can create Private key through two different ways. First method is by encrypting the private key with a password as shown below. This is also the recommended method.
[root@localhost ~]# openssl genrsa -des3 -out testserver.key 2048 Generating RSA private key, 2048 bit long modulus ...................+++ .+++ e is 65537 (0x10001) Enter pass phrase for testserver.key: Verifying - Enter pass phrase for testserver.key:
genrsa : Generation of RSA Private Key
-des3: Encryption Method
-out : generated output
2048 : length of the key in bits
Check the output private key.
[root@localhost ~]# ls -lrt testserver.key -rw-r--r--. 1 root root 1751 Apr 23 17:35 testserver.key
Second method is by without encrypting the private key with password as shown below.
[root@localhost ~]# openssl genrsa -des3 -passout pass:x -out testserver.key 2048 Generating RSA private key, 2048 bit long modulus ......................+++ ...........................................................................................+++ e is 65537 (0x10001)
4. Create a Certificate Signing Request using openssl commands
You can either generate CSR by using below regular method where you need to provide the passphrase of private key to generate CSR or you can remove the passphrase from private key before generating CSR. Below given method is the most commonly used method where it will ask for the private key passphrase while generating CSR.
[root@localhost ~]# openssl req -new -key testserver.key -out cyberithub.csr Enter pass phrase for testserver.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:Texas Locality Name (eg, city) [Default City]:San Diego Organization Name (eg, company) [Default Company Ltd]:cyberithub Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server's hostname) []:cyberithub.local Email Address []:abc@cyberithub.local Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:Test@123 An optional company name []:
req : PKCS#10 X.509 Certificate Signing Request (CSR) Management.
-new : New Private Key
-key : Private Key
Another method which is also in use is by removing the passphrase from Private key using below method where you need to first create a copy of private key using cp
command as shown below.
[root@localhost ~]# cp testserver.key testserver.key.local
Then run below openssl commands to remove the passphrase.
[root@localhost ~]# openssl rsa -in testserver.key.local -out testserver.key Enter pass phrase for testserver.key.local: writing RSA key
Now you can see that generation of CSR does not ask for the private key passphrase. This confirms that passphrase is now removed from Private Key.
[root@localhost ~]# openssl req -new -key testserver.key -out cyberithub.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:Texas Locality Name (eg, city) [Default City]:San Diego Organization Name (eg, company) [Default Company Ltd]:cyberithub Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server's hostname) []:cyberithub.local Email Address []:abc@cyberithub.local Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:Test@123 An optional company name []:
5. Create a Self Signed Certificate using openssl commands
Now you can take CSR(cyberithub.csr
) and private key(testserver.key
) to create a self signed certificate with a validity of 365 days using below openssl commands.
[root@localhost ~]# openssl x509 -req -days 365 -in cyberithub.csr -signkey testserver.key -out cyberithub.crt Signature ok subject=/C=US/ST=Texas/L=San Diego/O=cyberithub/OU=IT/CN=cyberithub.local/emailAddress=abc@cyberithub.local Getting Private key
-days : Certificate Validity
-in : Input File
-signkey : Sign the Certificate using given private key
Recommendations:-
How to Enable or Disable SELinux Temporarily or Permanently on RedHat/CentOS 7/8
10 Popular Examples of sudo command in Linux(RedHat/CentOS 7/8)
9 useful w command in Linux with Examples