centos_7_tls_certificates
Table of Contents
TLS - CentOS 7.x
Genereate self signed certificates
Create CA
- Generate CA key:
openssl genrsa -aes256 -out ca.key 4096
- Generate CA certificate, valid for 10 years:
openssl req -new -x509 -days 3652 -sha256 -extensions v3_ca -key ca.key -out ca.crt Common Name: "<yourname> CA"
Server key and certificate
- Generate server private key:
openssl genrsa -aes256 -out server.key 4096
- Create certificate signing request:
openssl req -new -sha256 -key server.key -out server.csr Common name: <your server's FQDN>
- Sign server certificate, valid for 5 years:
openssl x509 -req -CA ca.crt -CAkey ca.key -days 1825 -extensions usr_cert -sha256 -set_serial 01 -in server.csr -out server.crt
Add CA certificate to trust store
- Copy ca.crt to /etc/pki/ca-trust/source/anchors/
- Run update-ca-trust extract as root.
Troubleshooting
- Identify which directory OpenSSL uses:
openssl version -d
- Test remote connection:
openssl s_client -showcerts -connect my.webserver.com:443 Check for: Verify return code: 0 (ok)
- Lookup certificate details:
openssl x509 -in server.crt -noout -text
centos_7_tls_certificates.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1