Create a Self-Signed SSL Certificate with OpenSSL

This Self-Signed SSL Certificate was created on a server running CentOS 5.7 with Virtual Hosts and SELinux disabled.

– openssl
– mod_ssl
# yum install openssl mod_ssl

To begin, change to the following directory. We will temporarily create our SSL files here.

# cd /etc/pki/tls/certs/

Generate Your Private Key.

# openssl genrsa -des3 -out yourdomain_tld.key 2048

Generate Certificate Signing Request (CSR).

# openssl req -new -key yourdomain_tld.key -out yourdomain_tld.csr

Sign Certificate Signing Request (CSR).

# openssl x509 -req -days 5475 -in yourdomain_tld.csr -signkey yourdomain_tld.key -out yourdomain_tld.crt

Create a Backup of the Private Key.

# cp yourdomain_tld.key

Remove the Pass-Phrase from the Private Key.

# openssl rsa -in -out yourdomain_tld.key

Create the following directories.

# mkdir ssl.csr
# mkdir ssl.crt
# mkdir ssl.key

Move SSL files to the directories that were just created.

# mv yourdomain_tld.csr ssl.csr/
# mv yourdomain_tld.crt ssl.crt/
# mv yourdomain_tld.key ssl.key/
# mv ssl.key/

Change permissions on the SSL files so they can only be read by the root user (-r--------).

# chmod 400 ssl.csr/yourdomain_tld.csr
# chmod 400 ssl.crt/yourdomain_tld.crt
# chmod 400 ssl.key/yourdomain_tld.key
# chmod 400 ssl.key/

Edit Virtual Host Configuration File:

You will need to add the following at the top of your Virtual Host file (the asterisk can be replaced by your IP address):

NameVirtualHost *:443

Add a VirtualHost record similar to this:

<VirtualHost YourIPAddress:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ssl.crt/yourdomain_tld.crt
SSLCertificateKeyFile /etc/pki/tls/certs/ssl.key/yourdomain_tld.key
<Directory “/var/www/vhosts/yourdomain.tld/html”>
AllowOverride All
DocumentRoot /var/www/vhosts/yourdomain.tld/html
ServerName yourdomain.tld

Quit and save the file and then restart Apache

# /etc/init.d/httpd restart

Configuring the firewall:

You should now have a site working over HTTPS using a self-signed certificate. If you can’t connect you may need to open the port on your firewall. To do this amend your iptables rules:

# iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# service iptables save


Description of Commands:

OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards required by them.

The genrsa command generates an RSA private key.

This option encrypts the private key with the triple DES cipher before outputting it.
-out “filename”
This specifies the output filename to write to or standard output by default.
-2048 [numbits]
The size of the private key to generate in bits. This must be the last option specified. The default is 512.

The req command primarily creates and processes certificate requests in PKCS#10 format. It can additionally create self signed certificates for use as root CAs for example.

This option generates a new certificate request.
-key “filename”
This specifies the file to read the private key from.

The x509 command is a multi purpose certificate utility. It can be used to display certificate information, convert certificates to various forms, sign certificate requests like a “mini CA” or edit certificate trust settings.

By default a certificate is expected on input. With this option a certificate request is expected instead.
-days “arg”
Specifies the number of days to make a certificate valid for. The default is 30 days.
-in “filename”
This specifies the input filename to read a certificate from or standard input if this option is not specified.
-signkey “filename”
This option causes the input file to be self signed using the supplied private key.

The rsa command processes RSA keys.

Leave a Reply

Your email address will not be published.