This Self-Signed SSL Certificate was created on a server running CentOS 5.7 with Virtual Hosts and SELinux disabled.
Requirements:
– openssl
– mod_ssl
# yum install openssl mod_ssl
To begin, change to the following directory. We will temporarily create our SSL files here.
# cd /etc/pki/tls/certs/
Generate Your Private Key.
# openssl genrsa -des3 -out yourdomain_tld.key 2048
Generate Certificate Signing Request (CSR).
# openssl req -new -key yourdomain_tld.key -out yourdomain_tld.csr
Sign Certificate Signing Request (CSR).
# openssl x509 -req -days 5475 -in yourdomain_tld.csr -signkey yourdomain_tld.key -out yourdomain_tld.crt
Create a Backup of the Private Key.
# cp yourdomain_tld.key yourdomain_tld.key.secure
Remove the Pass-Phrase from the Private Key.
# openssl rsa -in yourdomain_tld.key.secure -out yourdomain_tld.key
Create the following directories.
# mkdir ssl.csr
# mkdir ssl.crt
# mkdir ssl.key
Move SSL files to the directories that were just created.
# mv yourdomain_tld.csr ssl.csr/
# mv yourdomain_tld.crt ssl.crt/
# mv yourdomain_tld.key ssl.key/
# mv yourdomain_tld.key.secure ssl.key/
Change permissions on the SSL files so they can only be read by the root user (-r--------).
# chmod 400 ssl.csr/yourdomain_tld.csr
# chmod 400 ssl.crt/yourdomain_tld.crt
# chmod 400 ssl.key/yourdomain_tld.key
# chmod 400 ssl.key/yourdomain_tld.key.secure
Edit Virtual Host Configuration File:
You will need to add the following at the top of your Virtual Host file (the asterisk can be replaced by your IP address):
NameVirtualHost *:443
Add a VirtualHost record similar to this:
<VirtualHost YourIPAddress:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ssl.crt/yourdomain_tld.crt
SSLCertificateKeyFile /etc/pki/tls/certs/ssl.key/yourdomain_tld.key
<Directory “/var/www/vhosts/yourdomain.tld/html”>
AllowOverride All
</Directory>
DocumentRoot /var/www/vhosts/yourdomain.tld/html
ServerName yourdomain.tld
</VirtualHost>
Quit and save the file and then restart Apache
# /etc/init.d/httpd restart
Configuring the firewall:
You should now have a site working over HTTPS using a self-signed certificate. If you can’t connect you may need to open the port on your firewall. To do this amend your iptables rules:
# iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# service iptables save
Description of Commands:
OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards required by them.
The genrsa command generates an RSA private key.
-des3
This option encrypts the private key with the triple DES cipher before outputting it.
-out “filename”
This specifies the output filename to write to or standard output by default.
-2048 [numbits]
The size of the private key to generate in bits. This must be the last option specified. The default is 512.
The req command primarily creates and processes certificate requests in PKCS#10 format. It can additionally create self signed certificates for use as root CAs for example.
-new
This option generates a new certificate request.
-key “filename”
This specifies the file to read the private key from.
The x509 command is a multi purpose certificate utility. It can be used to display certificate information, convert certificates to various forms, sign certificate requests like a “mini CA” or edit certificate trust settings.
-req
By default a certificate is expected on input. With this option a certificate request is expected instead.
-days “arg”
Specifies the number of days to make a certificate valid for. The default is 30 days.
-in “filename”
This specifies the input filename to read a certificate from or standard input if this option is not specified.
-signkey “filename”
This option causes the input file to be self signed using the supplied private key.
The rsa command processes RSA keys.