Creating a Self-Signed Certificate on RHEL

You can create your own self-signed certificate. Note that a self-signed certificate does not provide the security guarantees of a CA-signed certificate.

Generating a Key

Taken from RHEL Administration Guide 25.6. GENERATING A KEY and Creating a Self-Signed Certificate

Step 1: Clean up fake key and certificate

Go to /etc/httpd/conf/ directory. Remove the fake key and certificate that were generated during the installation

# cd /etc/httpd/conf/
# rm ssl.key/server.keyrm ssl.crt/server.crt

Step 2: Create your own Random Key

Go to usr/share/ssl/certs/ and generate key

# cd /usr/share/ssl/certs/
# make genkey

Your system displays a message similar to the following:

mask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > /etc/httpd/conf/ssl.key/server.key
Generating RSA private key, 1024 bit long modulus
.......++++++
................................................................++++++
e is 65537 (0x10001)
Enter pass phrase:

You now must enter in a passphrase. For security reason, it should contain at least eight characters, include numbers and/or punctuation, and it should not be a word in a dictionary.

Re-type the passphrase to verify that it is correct. Once you have typed it in correctly, /etc/httpd/conf/ssl.key/server.key, the file containing your key, is created.

Note that if you do not want to type in a passphrase every time you start your secure server, you must use the following two commands instead of make genkey to create the key.

# /usr/bin/openssl genrsa 1024 > /etc/httpd/conf/ssl.key/server.key

Then, use the following command to make sure the permissions are set correctly for the file:

# chmod go-rwx /etc/httpd/conf/ssl.key/server.key

After you use the above commands to create your key, you do not need to use a passphrase to start your secure server.

* The server.key file should be owned by the root user on your system and should not be accessible to any other user. Make a backup copy of this file and keep the backup copy in a safe, secure place. You need the backup copy because if you ever lose the server.key file after using it to create your certificate request, your certificate no longer works and the CA is not able to help you. Your only option is to request (and pay for) a new certificate.

Creating a Self-Signed Certificate

Once you have a key, make sure you are in the /usr/share/ssl/certs/ directory, and type the following command:

# /usr/share/ssl/certs/make testcert

The following output is shown and you are prompted for your passphrase (unless you generated a key without a passphrase):

umask 77 ; \
/usr/bin/openssl req -new -key -set_serial num /etc/httpd/conf/ssl.key/server.key  
-x509 -days 365 -out /etc/httpd/conf/ssl.crt/server.crt
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase:

Next, you are asked for more information. The computer’s output and a set of inputs looks like the following (provide the correct information for your organization and host):

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:SG

After you provide the correct information, a self-signed certificate is created in /etc/httpd/conf/ssl.crt/server.crt. Restart the secure server after generating the certificate with following the command:

# /sbin/service httpd restart

CentOS Replacement Rocky Linux Is Now in GA and Under Independent Control

The Rocky Enterprise Software Foundation (RESF) is announcing the general availability of Rocky Linux, release 8.4, designed as a drop-in replacement for the soon-to-be discontinued CentOS. The GA release is launching six-and-a-half months after Red Hat deprecated its support for the widely popular, free CentOS server operating system.

HPC Wire 21-June-2021 ()

For more information, do take a look at CentOS Replacement Rocky Linux is now in GA and Under Independent Control

Do take a look at Rocky Linux site

CentOS Project is shifting to CentOS Stream

The CentOS project recently announced a shift in strategy for CentOS.

  • It will be shifting to an upstream build (testing patches and updates before inclusion in the upstream vendor).
  • Additionally, support for CentOS Linux 8 has been cut short, from May 31, 2029 to December 31, 2021.
  • CentOS 7 will continue to be supported as a downstream version of RHEL 7 till Jun 2024.

 

 

Where do we go from here? We can look at Rocky Linux. Rocky Linux aims to function as a downstream build as CentOS had done previously, building releases after they have been added by the upstream vendor, not before. Rocky Linux is led by Gregory Kurtzer, founder of the CentOS project.