This post will guide you how to create a self-signed SSL certificate on CentOS or Ubuntu Linux. How do I create a self-signed SSL Certificate using the Openssl tool on Linux system. How to create a self-signed SSL Certificate for your own Apache server.
What is Self-Signed SSL Certificate?
A self-signed certificate used to encrypt communication between your server and any clients. because it is not signed by any of the trusted certificate authorities included with web browsers, users cannot use the certificate to validate the identity of your server automatically.
You can use OpenSSL tool to generate self-signed certificates which can be used for testing purposes or internal usage. And it also can be used to generate an RSA Private key.
Create Self-Signed SSL Certificate
Before creating self-signed SSL Certificate, you should make sure that the OpenSSL tool is installed on your Linux system. You can verify the version of OpenSSL by running the following command:
$ openssl version
Outputs:
devops@devops-osetc:~$ openssl version OpenSSL 1.1.1 11 Sep 2018
If OpenSSL package is not install on your Linux system, you can ru n the following command to install it:
For CentOS or RHEL Linux:
Type the following command:
$ sudo yum install openssl -y
For Ubuntu or Debian Linux:
Type the following command:
$ sudo apt install openssl -y
Then you can use openssl command to create a self-signed certificate key, type:
$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
Outputs:
devops@devops-osetc:~$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt [sudo] password for devops: Can't load /home/devops/.rnd into RNG 140155030204864:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/home/devops/.rnd Generating a RSA private key .............+++++ ...............................+++++ writing new private key to '/etc/ssl/private/apache-selfsigned.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:NewYork Locality Name (eg, city) []:city Organization Name (eg, company) [Internet Widgits Pty Ltd]:osetc Organizational Unit Name (eg, section) []:IT Common Name (e.g. server FQDN or YOUR name) []:osetc.com Email Address []:mymail@osetc.com devops@devops-osetc:~$
Note:
openssl: it is a basic command lien tool for createing or managing OpenSSL Certificates, keys or other files.
req: it is a sub command of openssl command, it is used to create certificate signing request.
-x509: create X.509 certificate.
-nodes: it will tell OpenSSL to skip the option to secure out certificate with a passphrase.
-days 365: This option sets the length of time that the certificate will be considered valid.
-newkey rsa:2048: create a new certificate request and 2048 bit RSA key.
-keyout: it tell OpenSSL where to place the generated private key file that you are creating.
-out: this tells OpenSSL where to place the certificate that you are creating.
Let’s check if the certificate and private keys are created, type:
devops@devops-osetc:~$ sudo ls /etc/ssl/private/apache-selfsigned.key /etc/ssl/private/apache-selfsigned.key devops@devops-osetc:~$ sudo ls /etc/ssl/certs/apache-selfsigned.crt /etc/ssl/certs/apache-selfsigned.crt
Conclusion
You should know that how to create a self-signed certificate on your CentOS or Ubuntu Linux server with OpenSSL tool. And you can try to modify your Apache configuration to take advantage of those certificate files you are created.