How to create a self-signed certificate on Red Hat Enterprise Linux with OpenSSL?

Solution Verified - Updated

Environment

  • Red Hat Enterprise Linux (All Versions)
  • OpenSSL

Issue

  • How to create a self-signed certificate to use with different services in Red Hat Enterprise Linux like httpd, postfix, etc ?
  • How to create a self-signed certificate on Red Hat Enterprise Linux with OpenSSL ?

Resolution

  • Certificates are related to public key cryptography by containing a public key. To be useful, there must be a corresponding private key somewhere. With OpenSSL, public keys are easily derived from private keys, so before you create a certificate, you need to create a private key.

  • Private keys are generated with openssl genrsa if you want a RSA private key, or openssl gendsa if you want a DSA private key.

  • Step 1: Create RSA or DSA private key.

    • Generating a key for the RSA algorithm is quite easy, all you have to do is the following:
    # openssl genrsa -des3 -out privkey.pem 2048

    • The number 2048 is the size of the key, in bits. 2048 or higher is recommended for RSA keys.

    • To generate a DSA key Generating a key for the DSA algorithm is a two-step process. First, you have to generate parameters from which to generate the key:

    # openssl dsaparam -out dsaparam.pem 2048
    • When this is done, you can generate a key using the parameters in question:
    # openssl gendsa -des3 -out privkey.pem dsaparam.pem

    • The number 2048 is the size of the key, in bits. 2048 or higher is recommended for RSA and DSA keys.

    • With this variant, you will be prompted for a protecting password. If you don't want your key to be protected by a password, remove the flag '-des3' from the command line in above steps.

NOTE: if you intend to use the key together with a server certificate, it may be a good thing to avoid protecting it with a password, since that would mean someone would have to type in the password every time the server needs to access the key.

  • Step 2: Now create self-signed certificate from the private key.

    • Create a self-signed certificate from the private key which we generated earlier in step 1 (RSA) or (DSA).

      # openssl req -new -x509 -key privkey.pem -out server-cert.pem -days 1095

    • After the above command is run, it will ask for details for the certificate like Country Name, State or Province Name, Locality Name, Organization Name, Email Address, etc. Enter the values according to your requirement. Now you have a self-signed certificate with name 'server-cert.pem'.

    • Check the text output of the certificate with below command:

      # openssl x509 -in server-cert.pem -text -noout

  • For more information refer to OpenSSL documentation.
    Content from www.openssl.org is not included.Content from www.openssl.org is not included.http://www.openssl.org/docs/

SBR
Product(s)
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.