centos_7_tls_certificates

Table of Contents

TLS - CentOS 7.x
Genereate self signed certificates
- Create CA
- Server key and certificate
Add CA certificate to trust store
Troubleshooting

[centos7, linux, tls, ssl]

TLS - CentOS 7.x

Genereate self signed certificates

Create CA

Generate CA key:
```
openssl genrsa -aes256 -out ca.key 4096
```

Generate CA certificate, valid for 10 years:

openssl req -new -x509 -days 3652 -sha256 -extensions v3_ca -key ca.key -out ca.crt

Common Name: "<yourname> CA"

Server key and certificate

Generate server private key:

openssl genrsa -aes256 -out server.key 4096

Create certificate signing request:

openssl req -new -sha256 -key server.key -out server.csr

Common name: <your server's FQDN>

Sign server certificate, valid for 5 years:

openssl x509 -req -CA ca.crt -CAkey ca.key -days 1825 -extensions usr_cert -sha256 -set_serial 01 -in server.csr -out server.crt

Add CA certificate to trust store

Copy ca.crt to /etc/pki/ca-trust/source/anchors/
Run update-ca-trust extract as root.

Troubleshooting

Identify which directory OpenSSL uses:
```
openssl version -d
```

Test remote connection:

openssl s_client -showcerts -connect my.webserver.com:443

Check for:   Verify return code: 0 (ok)

Lookup certificate details:

openssl x509 -in server.crt -noout -text