How to Create Self-Signed Certificate by Openssl on CentOS 6.4

Before you create a self-signed certificate, you should install mod_ssl for Apache httpd server first.

[root@test ~]# yum install mod_ssl
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
 * base: mirrors.btte.net
 * epel: mirrors.hust.edu.cn
 * extras: mirrors.btte.net
 * updates: mirror.neu.edu.cn
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package mod_ssl.x86_64 1:2.2.26-2.el6 will be installed
--> Processing Dependency: httpd = 2.2.26-2.el6 for package: 1:mod_ssl-2.2.26-2.el6.x86_64
--> Processing Dependency: libcrypto.so.10(libcrypto.so.10)(64bit) for package: 1:mod_ssl-2.2.26-2.el6.x86_64
--> Processing Dependency: libcrypto.so.10(OPENSSL_1.0.1)(64bit) for package: 1:mod_ssl-2.2.26-2.el6.x86_64
--> Processing Dependency: libssl.so.10(libssl.so.10)(64bit) for package: 1:mod_ssl-2.2.26-2.el6.x86_64
--> Processing Dependency: libcrypto.so.10(OPENSSL_1.0.1_EC)(64bit) for package: 1:mod_ssl-2.2.26-2.el6.x86_64
--> Processing Dependency: libnal.so.1()(64bit) for package: 1:mod_ssl-2.2.26-2.el6.x86_64
--> Processing Dependency: libdistcache.so.1()(64bit) for package: 1:mod_ssl-2.2.26-2.el6.x86_64
--> Running transaction check
---> Package distcache.x86_64 0:1.4.5-23 will be installed
---> Package httpd.x86_64 0:2.2.25-1.el6 will be updated
---> Package httpd.x86_64 0:2.2.26-2.el6 will be an update
--> Processing Dependency: httpd-tools = 2.2.26-2.el6 for package: httpd-2.2.26-2.el6.x86_64
---> Package openssl.x86_64 0:1.0.0-27.el6 will be updated
---> Package openssl.x86_64 0:1.0.1e-16.el6_5.4 will be an update
--> Running transaction check
---> Package httpd-tools.x86_64 0:2.2.25-1.el6 will be updated
---> Package httpd-tools.x86_64 0:2.2.26-2.el6 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package            Arch          Version                  Repository      Size
================================================================================
Installing:
 mod_ssl            x86_64        1:2.2.26-2.el6           CentALT         85 k
Installing for dependencies:
 distcache          x86_64        1.4.5-23                 CentALT        112 k
Updating for dependencies:
 httpd              x86_64        2.2.26-2.el6             CentALT        887 k
 httpd-tools        x86_64        2.2.26-2.el6             CentALT         62 k
 openssl            x86_64        1.0.1e-16.el6_5.4        updates        1.5 M

Transaction Summary
================================================================================
Install       2 Package(s)
Upgrade       3 Package(s)

Total download size: 2.6 M
Is this ok [y/N]: y
Downloading Packages:
(1/5): distcache-1.4.5-23.x86_64.rpm                     | 112 kB     00:02
(2/5): httpd-2.2.26-2.el6.x86_64.rpm                     | 887 kB     00:03
(3/5): httpd-tools-2.2.26-2.el6.x86_64.rpm               |  62 kB     00:00
(4/5): mod_ssl-2.2.26-2.el6.x86_64.rpm                   |  85 kB     00:00
(5/5): openssl-1.0.1e-16.el6_5.4.x86_64.rpm              | 1.5 MB     01:50
--------------------------------------------------------------------------------
Total                                            23 kB/s | 2.6 MB     01:58
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating   : openssl-1.0.1e-16.el6_5.4.x86_64                             1/8
  Updating   : httpd-tools-2.2.26-2.el6.x86_64                              2/8
  Updating   : httpd-2.2.26-2.el6.x86_64                                    3/8
  Installing : distcache-1.4.5-23.x86_64                                    4/8
  Installing : 1:mod_ssl-2.2.26-2.el6.x86_64                                5/8
  Cleanup    : httpd-2.2.25-1.el6.x86_64                                    6/8
  Cleanup    : httpd-tools-2.2.25-1.el6.x86_64                              7/8
  Cleanup    : openssl-1.0.0-27.el6.x86_64                                  8/8
  Verifying  : 1:mod_ssl-2.2.26-2.el6.x86_64                                1/8
  Verifying  : openssl-1.0.1e-16.el6_5.4.x86_64                             2/8
  Verifying  : httpd-2.2.26-2.el6.x86_64                                    3/8
  Verifying  : httpd-tools-2.2.26-2.el6.x86_64                              4/8
  Verifying  : distcache-1.4.5-23.x86_64                                    5/8
  Verifying  : httpd-tools-2.2.25-1.el6.x86_64                              6/8
  Verifying  : httpd-2.2.25-1.el6.x86_64                                    7/8
  Verifying  : openssl-1.0.0-27.el6.x86_64                                  8/8

Installed:
  mod_ssl.x86_64 1:2.2.26-2.el6

Dependency Installed:
  distcache.x86_64 0:1.4.5-23

Dependency Updated:
  httpd.x86_64 0:2.2.26-2.el6             httpd-tools.x86_64 0:2.2.26-2.el6
  openssl.x86_64 0:1.0.1e-16.el6_5.4

Complete!

There's a new configuration file /etc/httpd/conf.d/ssl.conf arrived in the installation process.

[root@test ~]# ls -l /etc/httpd/conf.d/
total 36
...
-rw-r--r--. 1 root root 9534 Jul 15  2008 ssl.conf
...

Let's see what we have in ssl.conf.

[root@test ~]# vi /etc/httpd/conf.d/ssl.conf
...
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
...
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
...

There are two important files that we need to create. And, it seems that we have a very basic certificate on "localhost". Before we test the certification, we should restart httpd first.

[root@test ~]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]

Let's try to connect to https://localhost/

This shows us that the basic certificate on localhost is working as expected, you can just add the site for exception by clicking "Add Exception" button.

Now, back to our topic. Our goal is to create two required files for our domain name (e.g. www.example.com) and then modify /etc/httpd/conf.d/ssl.conf to take them effective.

  • A Private Key: /etc/pki/tls/private/www.example.com.key
  • A Certificate: /etc/pki/tls/certs/www.example.com.crt

Let's see the steps:

  1.  Create a private KEY.
  2. [root@test ~]# openssl genrsa -aes128 -out /etc/pki/tls/private/www.example.com.key 1024
    Generating RSA private key, 1024 bit long modulus
    .........++++++
    .....++++++
    e is 65537 (0x10001)
    Enter pass phrase for /etc/pki/tls/private/www.example.com.key:
    Verifying - Enter pass phrase for /etc/pki/tls/private/www.example.com.key:
  3. Create a CSR:
  4. If you do not send the CSR to CA, you can skip the step and use the above private key to create a certificate directly.

    [root@test ~]# openssl req -days 3650 -new -key /etc/pki/tls/private/www.example.com.key -out /etc/pki/tls/certs/www.example.com.csr
    Enter pass phrase for /etc/pki/tls/private/www.example.com.key:
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:TW
    State or Province Name (full name) []:Taiwan
    Locality Name (eg, city) [Default City]:Taipei
    Organization Name (eg, company) [Default Company Ltd]:example
    Organizational Unit Name (eg, section) []:IT
    Common Name (eg, your name or your server's hostname) []:www.example.com
    Email Address []:root@example.com

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
  5. Create a CRT:
  6. Through a CSR.

    [root@test ~]# openssl x509 -req -days 3650 -in /etc/pki/tls/certs/www.example.com.csr -signkey /etc/pki/tls/private/www.example.com.key -out /etc/pki/tls/certs/www.example.com.crt
    Signature ok
    subject=/C=TW/ST=Taiwan/L=Taipei/O=example/OU=IT/CN=www.example.com/emailAddress=root@example.com
    Getting Private key
    Enter pass phrase for /etc/pki/tls/private/www.example.com.key:

    Or you can create a certificate without taking advantage of CSR by:

    [root@test ~]# openssl req -x509 -days 3650 -new -key /etc/pki/tls/private/www.example.com.key -out /etc/pki/tls/certs/www.example.com.crt

Let's check what we have now:

[root@test ~]# ls -l /etc/pki/tls/private/
total 8
-rw-------. 1 root root 887 Mar 20 14:37 localhost.key
-rw-r--r--. 1 root root 986 Mar 20 19:15 www.example.com.key
[root@test ~]# ls -l /etc/pki/tls/certs/
total 1220
-rw-r--r--. 1 root root 571450 Apr  7  2010 ca-bundle.crt
-rw-r--r--. 1 root root 651083 Apr  7  2010 ca-bundle.trust.crt
-rw-------. 1 root root   1147 Mar 20 18:37 localhost.crt
-rwxr-xr-x. 1 root root    610 Jan  9 02:43 make-dummy-cert
-rw-r--r--. 1 root root   2242 Jan  9 02:43 Makefile
-rwxr-xr-x. 1 root root    829 Jan  9 02:43 renew-dummy-cert
-rw-r--r--. 1 root root    936 Mar 20 19:53 www.example.com.crt
-rw-r--r--. 1 root root    692 Mar 20 19:51 www.example.com.csr

Since we already have two required files for SSL, we can modify the configuration file for our domain:

[root@test ~]# vi /etc/httpd/conf.d/ssl.conf
...
SSLCertificateFile /etc/pki/tls/certs/www.example.com.crt
...
SSLCertificateKeyFile /etc/pki/tls/private/www.example.com.key
...

Don't forget to restart httpd. You need to know the pass phrase in advance.

[root@test ~]# service httpd restart                                      
Stopping httpd:                                            [  OK  ]
Starting httpd: Apache/2.2.26 mod_ssl/2.2.26 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server www.example.com:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.
                                                           [  OK  ]

For remote clients, you have to open the port 443 for HTTPS. I recommend you to open the firewall by iptables.

[root@test ~]# iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
[root@test ~]# iptables-save > /etc/sysconfig/iptables

You may also use system-config-firewall-tui like this:

[root@test ~]# system-config-firewall-tui
...

linux firewall settings

Before you open the port 443, you should backup a copy of current iptables (/etc/sysconfig/iptables) for safety.

Let's test the certificate by connecting to https://www.example.com:

self-signed certificate

It's done. This is a self-signed certificate. Please tell your users to "Add Exception" on this website. Their communications on this website are all secure now.

For more information, you can refer to this page: Redhat Documentation : 18.1.8. Setting Up an SSL Server.

If you would like to remove the pass phrase of private key, please refer my another post: How to Remove Pass Phrase From Private Key.

Leave a Reply

Your email address will not be published. Required fields are marked *