{{tag>[centos7 linux tls ssl]}}

=====TLS - CentOS 7.x=====

=====Genereate self signed certificates=====
====Create CA====
  * Generate CA key:<code>openssl genrsa -aes256 -out ca.key 4096</code>
  * Generate CA certificate, valid for 10 years:<code>openssl req -new -x509 -days 3652 -sha256 -extensions v3_ca -key ca.key -out ca.crt

Common Name: "<yourname> CA"
</code>
====Server key and certificate====
  * Generate server private key:<code>openssl genrsa -aes256 -out server.key 4096</code>
  * Create certificate signing request:<code>openssl req -new -sha256 -key server.key -out server.csr

Common name: <your server's FQDN></code>
  * Sign server certificate, valid for 5 years:<code>openssl x509 -req -CA ca.crt -CAkey ca.key -days 1825 -extensions usr_cert -sha256 -set_serial 01 -in server.csr -out server.crt</code>

=====Add CA certificate to trust store=====
  * Copy ca.crt to **/etc/pki/ca-trust/source/anchors/**
  * Run **update-ca-trust extract** as root.


=====Troubleshooting=====
  * Identify which directory OpenSSL uses:<code>openssl version -d</code>
  * Test remote connection:<code>openssl s_client -showcerts -connect my.webserver.com:443

Check for:   Verify return code: 0 (ok) </code>
  * Lookup certificate details:<code>openssl x509 -in server.crt -noout -text</code>