A little tutorial to show how we generate self-signed certificates. It’s now even easier with the Makefile provided by Linux CentOS / RedHat. I present here briefly how to generate a self-signed certificate. But before I will explain in practice how these certificates work.

How a certificate works

SSL or TLS its successor are protocols for securing internet exchanges. When you log on to your favorite site, for example, you can see that this protocol is enabled when there is a lock to the left of https: //. Your browser will send a secure login request to the website. The website responds by sending a browser certificate. This one contains a public key, site information (name, country, mail, etc.) and a digital signature. The browser will then try to verify the digital signature of the site certificate by using the public keys contained in the certificates of the Certificate Authorities (CA) integrated by default in the browser.

  • Case 1: one of them works, your browser then finds the name of the CA that signed the certificate sent by the server. It checks that it has not expired and sends a request to this authority to verify that the server certificate has not been revoked.
    • Sub-case 1, the certificate has expired, a warning message appears telling you that the server identity has not been verified by a CA and may therefore potentially be a fraudulent site, Success anyway !!!
    • Sub-case 2, the certificate is valid, Success !!!!
  • Case 2 none works, your browser attempts to verify the digital signature of the server certificate using the public key contained in it.
    • Sub-case 1 Failed, the certificate is invalid, no connection possible.
    • Sub-case 2 Success !!, the web server has itself signed its certificate. A warning message appears telling you that the server identity has not been verified by a CA and may potentially be a fraudulent site. This is the case that we will study through this article.

Then, your browser generates a session key via symmetric encryption using the public key contained in the certificate. Then, it passes this session key to the server. The server then decrypts the session key sent by your browser with its private key. Hence the interest of protecting this private key! The exchanges are initiated and you can navigate.

Generating a private key

[root@osboxes ~]# cd /etc/pki/tls/certs/
[root@osboxes certs]# make math-linux.key
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > math-linux.key
Generating RSA private key, 2048 bit long modulus
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
[root@osboxes certs]# openssl rsa -in math-linux.key -out math-linux.key
Enter pass phrase for math-linux.key:
writing RSA key

Generate a Certificate Signing Request (CSR)

[root@osboxes certs]# make math-linux.csr
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key math-linux.key -out math-linux.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:FR
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:Paris
Organization Name (eg, company) [Default Company Ltd]:Math-Linux.com
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:math-linux.com
Email Address []:adm@math-linux.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Remove the passphrase

[root@osboxes certs]# openssl rsa -in math-linux.key -out math-linux.key

Generate a self-signed certificate

[root@osboxes certs]# openssl x509 -in math-linux.csr -out math-linux.crt -req -signkey math-linux.key -days 3650
Signature ok
Getting Private key
[root@osboxes certs]# 

Configure Apache server / httpd

In the directory /etc/httpd or /etc/apache2 there must be a configuration file * ssl.conf or an environment dedicated to the configuration of ssl

The following command

[root@osboxes certs]# grep -iR SSLCertificateFile /etc/httpd/*
[root@osboxes certs]# grep -iR SSLCertificateFile /etc/apache*/*

will then determine the file. It will then be necessary to configure the apache server so that it can integrate the certificates which you have just generated:

    DocumentRoot /var/www/html2
    ServerName www.math-linux.com
        SSLEngine on
        SSLCertificateFile /etc/pki/tls/certs/math-linux.crt
        SSLCertificateKeyFile /etc/pki/tls/certs/math-linux.key