Securing communication over the web is critical, and SSL certificates play a huge role in encrypting data between a server and a client. In this post, I'll walk you through the steps of generating a self-signed SSL certificate in CentOS 7 using OpenSSL
Why Use a Self-Signed Certificate?
Self-signed certificates are ideal for internal projects, development, or testing environments. They enable you to secure communications without needing to purchase a certificate from a Certificate Authority (CA). However, browsers won't trust these certificates by default, and you'll get a warning, but for internal purposes, this is perfectly fine.
Prerequisites
1.CentOS 7 system with root access.
2.OpenSSL and Apache installed.
You can install them with the following commands:
sudo yum install mod_ssl openssl
Create a Directory for the Certificate
Create a directory to store the certificate and key:
sudo mkdir /etc/ssl/mycert
cd /etc/ssl/mycert
Step 1: Generate a Private Key
The first step is to create a private key, which will be used to encrypt the SSL communications.
sudo openssl genrsa -out mydomain.key 2048
Explanation:
This command generates a 2048-bit RSA private key named mydomain.key. This key will be used later to sign the certificate.
Note
When generating the private key, you can add the -des3 option to encrypt the key with a passphrase. This adds an extra layer of security.
sudo openssl genrsa -des3 -out mydomain.key 2048
You'll be prompted to set a passphrase. Every time you use the private key, you'll need to enter this passphrase.
Step 2: Create a Certificate Signing Request (CSR)
Next, you'll create a CSR, which contains information about your organization and the domain you're securing.
sudo openssl req -new -key mydomain.key -out mydomain.csr
You'll be prompted to enter information, such as:
-Country Name
-State
-City
-Organization
-Common Name (FQDN like www.example.com)
-Email
Explanation:
This CSR will later be used to create the self-signed certificate. The information provided is included in the certificate metadata.
Step 3: Generate the Self-Signed Certificate
Now, we use the CSR and private key to generate a self-signed certificate.
sudo openssl x509 -req -days 365 -in mydomain.csr -signkey mydomain.key -out mydomain.crt
Explanation:
The certificate is valid for 365 days and will be named mydomain.crt. This certificate, combined with the private key, will allow us to secure our server.
Step 4: Configure Apache to Use the Certificate*
To secure your web server, we need to configure Apache to use the newly created certificate.
Open the SSL configuration file:
sudo vim /etc/httpd/conf.d/ssl.conf
-Locate and update the following lines
SSLCertificateFile /etc/ssl/mycert/mydomain.crt
SSLCertificateKeyFile /etc/ssl/mycert/mydomain.key
Step 5: Restart Apache
Restart Apache to apply the changes and enable SSL.
sudo systemctl restart httpd
Step 6: Testing the SSL Certificate
Visit your website using https://your-domain.com. Since this is a self-signed certificate, your browser will display a warning. For testing and internal purposes, you can proceed
curl -i https://www.sectom.com
Conclusion
Congratulations! You’ve successfully generated a self-signed SSL certificate on CentOS 7. This method is perfect for development, testing, or internal use. For production environments, you should obtain a certificate from a trusted CA to avoid browser warnings.
Feel free to ask questions or share your experiences in the comments!
Top comments (0)