Creating a Self-Signed Certificate on RHEL

You can create your own self-signed certificate. Note that a self-signed certificate does not provide the security guarantees of a CA-signed certificate.

Generating a Key

Taken from RHEL Administration Guide 25.6. GENERATING A KEY and Creating a Self-Signed Certificate

Step 1: Clean up fake key and certificate

Go to /etc/httpd/conf/ directory. Remove the fake key and certificate that were generated during the installation

# cd /etc/httpd/conf/
# rm ssl.key/server.keyrm ssl.crt/server.crt

Step 2: Create your own Random Key

Go to usr/share/ssl/certs/ and generate key

# cd /usr/share/ssl/certs/
# make genkey

Your system displays a message similar to the following:

mask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > /etc/httpd/conf/ssl.key/server.key
Generating RSA private key, 1024 bit long modulus
.......++++++
................................................................++++++
e is 65537 (0x10001)
Enter pass phrase:

You now must enter in a passphrase. For security reason, it should contain at least eight characters, include numbers and/or punctuation, and it should not be a word in a dictionary.

Re-type the passphrase to verify that it is correct. Once you have typed it in correctly, /etc/httpd/conf/ssl.key/server.key, the file containing your key, is created.

Note that if you do not want to type in a passphrase every time you start your secure server, you must use the following two commands instead of make genkey to create the key.

# /usr/bin/openssl genrsa 1024 > /etc/httpd/conf/ssl.key/server.key

Then, use the following command to make sure the permissions are set correctly for the file:

# chmod go-rwx /etc/httpd/conf/ssl.key/server.key

After you use the above commands to create your key, you do not need to use a passphrase to start your secure server.

* The server.key file should be owned by the root user on your system and should not be accessible to any other user. Make a backup copy of this file and keep the backup copy in a safe, secure place. You need the backup copy because if you ever lose the server.key file after using it to create your certificate request, your certificate no longer works and the CA is not able to help you. Your only option is to request (and pay for) a new certificate.

Creating a Self-Signed Certificate

Once you have a key, make sure you are in the /usr/share/ssl/certs/ directory, and type the following command:

# /usr/share/ssl/certs/make testcert

The following output is shown and you are prompted for your passphrase (unless you generated a key without a passphrase):

umask 77 ; \
/usr/bin/openssl req -new -key -set_serial num /etc/httpd/conf/ssl.key/server.key  
-x509 -days 365 -out /etc/httpd/conf/ssl.crt/server.crt
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase:

Next, you are asked for more information. The computer’s output and a set of inputs looks like the following (provide the correct information for your organization and host):

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:SG

After you provide the correct information, a self-signed certificate is created in /etc/httpd/conf/ssl.crt/server.crt. Restart the secure server after generating the certificate with following the command:

# /sbin/service httpd restart