How to Create a Self Signed Certificate using Openssl Commands on Linux (RedHat/CentOS 7/8)

Table of Contents

What is SSL Certificate

SSL Certificate is Known as Secure Socker Layer Digital certificate responsible to encrypting communication between Server and Client to provide security and safety to the User's Critical Data.

Why Self Signed Certificate

You can easily create a self signed certificate from any of the Linux Based System by using only openssl commands. It is also free of cost and generally used for testing purposes inside a Network.

Different types of SSL Certificates

Depends on your cost, requirement, validity time period and security features you can buy different Kind of SSL Certificates. Some of them are mentioned below.

a)DV(Domain Validation) Certificate
b)OV(Organization Validation) Certificate
c)EV(Extended Validation) Certificate
d)Wildcard Certificate
e)Multi Domain SSL Certificate
f)Unified Domain Certificate

How to Create a Self Signed Certificate using Openssl Commands on Linux (RedHat/CentOS 7/8) 1

Create a Self Signed Certificate

Also Read: Openssl Tutorial : Generate and Install Certificate on Apache Server in 8 Easy Steps

1. Update Your System

First you need to update your System packages using yum update -y command as shown below.

[root@localhost ~]# yum update -y
Loaded plugins: fastestmirror
Determining fastest mirrors
* base: mirrors.piconets.webwerks.in
* extras: mirrors.piconets.webwerks.in
* updates: mirrors.piconets.webwerks.in
base | 3.6 kB 00:00:00
extras | 2.9 kB 00:00:00
updates | 2.9 kB 00:00:00
(1/4): base/7/x86_64/group_gz | 165 kB 00:00:00
(2/4): extras/7/x86_64/primary_db | 165 kB 00:00:00
(3/4): updates/7/x86_64/primary_db | 7.6 MB 00:00:03
(4/4): base/7/x86_64/primary_db | 6.0 MB 00:00:04
Resolving Dependencies
--> Running transaction check
---> Package GeoIP.x86_64 0:1.5.0-13.el7 will be updated
---> Package GeoIP.x86_64 0:1.5.0-14.el7 will be an update
--> Processing Dependency: geoipupdate for package: GeoIP-1.5.0-14.el7.x86_64
---> Package NetworkManager.x86_64 1:1.12.0-6.el7 will be updated
---> Package NetworkManager.x86_64 1:1.18.0-5.el7_7.2 will be an update
---> Package NetworkManager-libnm.x86_64 1:1.12.0-6.el7 will be updated
---> Package NetworkManager-libnm.x86_64 1:1.18.0-5.el7_7.2 will be an update

NOTE:

Please note that I am running all the commands in this session of create a self signed certificate is through root user. You can use any user with sudo access to run all these commands. You can check Step by Step: How to add User into Sudoers to know more about providing sudo access to the Users.

2. Install Openssl Package

After updating the packages in your server you need to install openssl package using yum install -y openssl command as shown below. In most of the Linux systems you can find openssl installed by default as you can check below. In our system also it is already installed.

[root@localhost ~]# yum install -y openssl
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.piconets.webwerks.in
* extras: mirrors.piconets.webwerks.in
* updates: mirrors.piconets.webwerks.in
Package 1:openssl-1.0.2k-19.el7.x86_64 already installed and latest version
Nothing to do

3. Create a Private Key using openssl commands

You can create Private key through two different ways. First method is by encrypting the private key with a password as shown below. This is also the recommended method.

[root@localhost ~]# openssl genrsa -des3 -out testserver.key 2048
Generating RSA private key, 2048 bit long modulus
...................+++
.+++
e is 65537 (0x10001)
Enter pass phrase for testserver.key:
Verifying - Enter pass phrase for testserver.key:

genrsa : Generation of RSA Private Key

-des3: Encryption Method

-out : generated output

2048 : length of the key in bits

Check the output private key.

[root@localhost ~]# ls -lrt testserver.key
-rw-r--r--. 1 root root 1751 Apr 23 17:35 testserver.key

Second method is by without encrypting the private key with password as shown below.

[root@localhost ~]# openssl genrsa -des3 -passout pass:x -out testserver.key 2048
Generating RSA private key, 2048 bit long modulus
......................+++
...........................................................................................+++
e is 65537 (0x10001)

4. Create a Certificate Signing Request using openssl commands

You can either generate CSR by using below regular method where you need to provide the passphrase of private key to generate CSR or you can remove the passphrase from private key before generating CSR. Below given method is the most commonly used method where it will ask for the private key passphrase while generating CSR.

[root@localhost ~]# openssl req -new -key testserver.key -out cyberithub.csr
Enter pass phrase for testserver.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Texas
Locality Name (eg, city) [Default City]:San Diego
Organization Name (eg, company) [Default Company Ltd]:cyberithub
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:cyberithub.local
Email Address []:abc@cyberithub.local

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:Test@123
An optional company name []:

req : PKCS#10 X.509 Certificate Signing Request (CSR) Management.

-new : New Private Key

-key : Private Key

Another method which is also in use is by removing the passphrase from Private key using below method where you need to first create a copy of private key using cp command as shown below.

[root@localhost ~]# cp testserver.key testserver.key.local

Then run below openssl commands to remove the passphrase.

[root@localhost ~]# openssl rsa -in testserver.key.local -out testserver.key
Enter pass phrase for testserver.key.local:
writing RSA key

Now you can see that generation of CSR does not ask for the private key passphrase. This confirms that passphrase is now removed from Private Key.

[root@localhost ~]# openssl req -new -key testserver.key -out cyberithub.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Texas
Locality Name (eg, city) [Default City]:San Diego
Organization Name (eg, company) [Default Company Ltd]:cyberithub
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:cyberithub.local
Email Address []:abc@cyberithub.local

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:Test@123
An optional company name []:

5. Create a Self Signed Certificate using openssl commands

Now you can take CSR(cyberithub.csr) and private key(testserver.key) to create a self signed certificate with a validity of 365 days using below openssl commands.

[root@localhost ~]# openssl x509 -req -days 365 -in cyberithub.csr -signkey testserver.key -out cyberithub.crt
Signature ok
subject=/C=US/ST=Texas/L=San Diego/O=cyberithub/OU=IT/CN=cyberithub.local/emailAddress=abc@cyberithub.local
Getting Private key

-days : Certificate Validity

-in : Input File

-signkey : Sign the Certificate using given private key

Recommendations:-

Create SAN Certificate

How to Enable or Disable SELinux Temporarily or Permanently on RedHat/CentOS 7/8

9 useful w command in Linux with Examples

Create a Self Signed Certificate using OpenSSL

Cyberithub