Ben's notes

Linux, Unix, network, radio...

User Tools

Site Tools


centos_7_tls_certificates

TLS - CentOS 7.x

Genereate self signed certificates

Create CA

  • Generate CA key:
    openssl genrsa -aes256 -out ca.key 4096
  • Generate CA certificate, valid for 10 years:
    openssl req -new -x509 -days 3652 -sha256 -extensions v3_ca -key ca.key -out ca.crt
    
    Common Name: "<yourname> CA"

Server key and certificate

  • Generate server private key:
    openssl genrsa -aes256 -out server.key 4096
  • Create certificate signing request:
    openssl req -new -sha256 -key server.key -out server.csr
    
    Common name: <your server's FQDN>
  • Sign server certificate, valid for 5 years:
    openssl x509 -req -CA ca.crt -CAkey ca.key -days 1825 -extensions usr_cert -sha256 -set_serial 01 -in server.csr -out server.crt

Add CA certificate to trust store

  • Copy ca.crt to /etc/pki/ca-trust/source/anchors/
  • Run update-ca-trust extract as root.

Troubleshooting

  • Identify which directory OpenSSL uses:
    openssl version -d
  • Test remote connection:
    openssl s_client -showcerts -connect my.webserver.com:443
    
    Check for:   Verify return code: 0 (ok) 
  • Lookup certificate details:
    openssl x509 -in server.crt -noout -text
centos_7_tls_certificates.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1