Introduction

Generating a Certificate Signing Request (CSR) for Secure Sockets Layer (SSL) Certificate in Linux are common on most of the Linux distributions. In case if we need a certificate for Apache service facing internet or an Internal FTP server in your organization required a secure file transfer by eliminating plain text transfer on your network. In first place we can’t ignore using SSL certificate since lets encrypt made it available for free.

A Collaborative Project from Linux Foundation provided letsencrypt.org for free of cost, This can be used for any type of websites or in any place where you required to encrypt the communications. To create an SSL certificate first we need to generate a CSR file and submit with the certificate authority.

There are two type of certificates they are Self Signed Certificate and CA Authorized Certificate.

SSL Certificate

Self Signed Certificate

  • self-signed certificate is one signed with its own private key, because we don’t have plan to signed by a CA.
  • Self-signed certificates valid for 1 year we need to renew once it about to expire.
  • A local certificate authority server in your environment will help to create a SSL certificate to use with in the organization.
  • Can be used for any locally deployed applications and FTP servers etc.

Certificate Authorized CA

  • A trusted third party entity that issues digital certificates.
  • It Can be used on internet facing servers for data encryption, Example website using HTTPS.
  • The validity period of the certificate depends on the plan we are choosing.
  • Required domain validation to issue any CA certificates.

Generate a Certificate Signing Request (CSR)

Navigate to below location. In case if you are creating for web server create a directory in any name location you wish.

# cd /etc/pki/tls/certs

Start to generate CSR by running openssl command with options and arguments.

# openssl req -new -newkey rsa:2048 -nodes -keyout domain_name.com.key -out domain_name.com.csr
OPTIONS AND DESCRIPTIONS AS FOLLOWS
Options
Description
-new
New request
-newkey rsa:2048
To create a RSA key and certificate in one go with 2048 bit.
-nodes
Don’t encrypt the output key
-keyout outfile
File to send the key to domain_name.com.key
-days +int
Number of days cert is valid for
-out
Output file

Running the above command using interactive mode without manual intervention.

# openssl req -nodes -newkey rsa:2048 -keyout domain_name.com.key -out domain_name.com.csr -subj "/C=IN/ST=TamilNadu/L=Chennai/O=Linux Sysadmins/OU=IT/CN=linuxsysadmins.local/Street=Chennai 01"

In above step we used “-nodes” which will not encrypt the output key. If you have not used the -nodes option we need to follow with below steps to remove the passphrase from the key file.

Removing Passphrase from the Key file

Removing Passphrase from the Key file, Make sure to backup the original file before making any changes.

# sudo cp -v /etc/pki/tls/certs/domain_name.com.{key,original}

Remove the passphrase from key-file and save the output in a new file.

# sudo openssl rsa -in /etc/pki/tls/certs/domain_name.com.original -out /etc/pki/tls/certs/domain_name.com.key

Once we removed the passphrase validate the new file and remove the backup file.

# sudo rm -v /etc/pki/tls/certs/domain_name.com.original

If you need to sign with a CA (Verisign)we need to submit above CSR with some providers to get the .CRT file in emails. If not and only you required inside your organization then follow with below steps.

Creating the “.crt” Certificate file

# sudo openssl x509 -req -days 365 -in /etc/pki/tls/certs/domain_name.com.csr -signkey /etc/pki/tls/certs/domain_name.com.key -out /etc/pki/tls/certs/domain_name.com.crt
OPTIONS AND DESCRIPTIONS AS FOLLOWS
Options
Description
X.509
Certificate Data Management.
-req
PKCS#10 X.509 Certificate Signing Request (CSR) Management.
-days
How long the certificate needs to be valid.
-in
Input file of csr
-signkey
self sign certificate key file
-out
Output of the final SSL certificate

Removing the CSR file:

Now it’s time to remove the .CSR file. Its safe to remove the .CSR after done with all above steps. Hereafter we required only “.CRT” and key files.

# sudo rm -v /etc/pki/tls/certs/domain_name.com.csr

Restrict permission for SSL Certificate:

Change the permission of SSL certificate to only read and write by root user.

# sudo chmod 600 /etc/pki/tls/certs/domain_name.com.crt.*

That’s it we have generated with a CSR file and submitted to CA for getting our SSL certificate.

Conclusion:

To have a secure communication between web server and visitors is most important by implementing a SSL certificate. We have gone through two type of certificates if you have any concern to add few point those are most welcome. Subscribe to our newsletter and stay with us.

Babin Lonston
Overall 13+ Years of experience in IT field, 7+ years of experience in Linux administration with Virtualization & Cloud technologies. Love documentation and being Numismatics for a long time.

How to Create Local Yum Repository on RHEL 8

Previous article

You may also like

Comments

Leave a reply

Your email address will not be published.

More in Security