Generate a Server Certificate
Server certificates are used for many purposes, including the https protocol, database connection encryption, etc…
I use one of our servers under Fedora to generate the SSL / TLS certificates used for e.g. the https protocol, but you should be able to use this tutorial for all flavors of Linux. These are self-signed certificates, so the very first step is to create the signing certificate CA (for Certificate Authority), then the individual server certificates (used by e.g. the https protocol) that will be signed by the CA.
The directory /etc/pki/tls is where the certificates are stored in Fedora, but some other distributions use /etc/ssl — which is easier to remember and used throughout all these series of articles — so I advise you to create an alias here (Fedora only):
ln -s /etc/pki/tls ssl
We’ll also use these conventions:
- the suffix .crt is for the public certificate: $CERT.crt
- the suffix .key for the private key: $CERT.key
- (optional) the suffix .pem for the combination of both the public and private parts: $CERT.pem
In this tutorial we’ll create a certificate we’ll name wildcard.example.com.
Generate a private key
openssl genrsa -out $CERT.key 4096
In general you don’t want to put a paraphrase (protective password) except for:
- Windows 2008 Server
- Fedora DS
In this case use this instruction instead:
openssl genrsa -des3 -out $CERT.key 1024
Create a certificate request:
The common name value is the most important one. It should match your website name, i.e.
- example.com if your website is available https://example.com
- admin.example.com if your website is available at https://admin.example.com
- secure.example.com if your website is available at https://secure.example.com
You might also want to create a server-side certificate that will for all sub-domains:
- *.example.com works for all sub-domains.
You might want to put your default values in /etc/ssl/openssl.cnf:
localityName :PRINTABLE:‘Los Angeles’
organizationName :PRINTABLE:‘Example Web’
organization Unit Name:PRINTABLE:‘Example Web Certificate’
commonName :PRINTABLE:’*.example.com’
Let CertSign signs / issues the certificate
-extfile /etc/ssl/openssl.cnf -extensions v3_req \
-CA /etc/ssl/certs/certsign.crt -CAkey /etc/ssl/private/certsign.key \
-CAserial /etc/ssl/certsign.srl -CAcreateserial \
-in /etc/ssl/certs/$CERT.req -out /etc/ssl/certs/$CERT.crt
- For a certificate for Windows 2008 Server, I used this instruction (Note the .cer suffix rather than .crt, this way I can separate what I did for Windows):
openssl ca -out $CERT.cer -in $CERT.req -cert ./certs/certsign.crt -keyfile ./private/certsign.key
Give safe permissions to the generated key and certificate.
chcon -u system_u $CERT.*
chcon -u system_u ../certs/$CERT.*
Verify generated certificate:
openssl verify -CAfile /etc/ssl/certs/certsign.crt /etc/ssl/certs/$CERT.crt
The first test should return an error: unable to get local issuer certificate, which warns that authority certificate wasn’t specified.
The second test should succeed.
Convert into .pem format
The .pem format is a concatenation of the key + the crt file. It should be protected the same way than the key:
chmod 400 $CERT.pem
chcon -u system_u $CERT.pem
To query content of certificate:
openssl x509 -in $CERT.pem -noout -dates
openssl x509 -in $CERT.pem -noout -purpose
Export to pkcs12 format
Notice: We set the name to $CERT although mod_nss (used in Fedora DS) uses “Server-Cert” by default. Remember to change NSSNickname in nss.conf!
(or)
openssl pkcs12 -export -nodes -inkey $CERT.key -in ../certs/$CERT.crt -out $CERT.p12
(Leave ‘Export password’ blank)
Permissions:
chcon -u system_u $CERT.p12
Add new comment