{{tag>[centos7 linux tls ssl]}}
=====TLS - CentOS 7.x=====
=====Genereate self signed certificates=====
====Create CA====
* Generate CA key:openssl genrsa -aes256 -out ca.key 4096
* Generate CA certificate, valid for 10 years:openssl req -new -x509 -days 3652 -sha256 -extensions v3_ca -key ca.key -out ca.crt
Common Name: " CA"
====Server key and certificate====
* Generate server private key:openssl genrsa -aes256 -out server.key 4096
* Create certificate signing request:openssl req -new -sha256 -key server.key -out server.csr
Common name:
* Sign server certificate, valid for 5 years:openssl x509 -req -CA ca.crt -CAkey ca.key -days 1825 -extensions usr_cert -sha256 -set_serial 01 -in server.csr -out server.crt
=====Add CA certificate to trust store=====
* Copy ca.crt to **/etc/pki/ca-trust/source/anchors/**
* Run **update-ca-trust extract** as root.
=====Troubleshooting=====
* Identify which directory OpenSSL uses:openssl version -d
* Test remote connection:openssl s_client -showcerts -connect my.webserver.com:443
Check for: Verify return code: 0 (ok)
* Lookup certificate details:openssl x509 -in server.crt -noout -text