Creating a self-signed SSL certificate: Difference between revisions

From Notes to self
Jump to navigation Jump to search
← Older edit
Verbovet (talk | contribs)
Bureaucrats, Interface administrators, Administrators
2,627 edits
No edit summary
No edit summary
 
(4 intermediate revisions by the same user not shown)
Line 1: Line 1:
===This is outdated.  Better use [[Let’s Encrypt]]!===
*There are 2 possibilities:
*There are 2 possibilities:
#self-sign a server certificate or
#to self-sign a server certificate or
#make a CA (Certificate Authority) and sign a server certificate with it
#make a CA (Certificate Authority) and sign a server certificate with it
*Without a CA:
*Without a CA:
Line 7: Line 9:
*Creating a CA and sign a server certificate with it:
*Creating a CA and sign a server certificate with it:
**<code>$ openssl req -new -x509 -sha256 -newkey rsa:2048 -days 10000 -nodes -out myCA.crt -keyout myCA.key</code>
**<code>$ openssl req -new -x509 -sha256 -newkey rsa:2048 -days 10000 -nodes -out myCA.crt -keyout myCA.key</code>
**Set the Common Name (CN) to something like "ACME root certificate" and enter "." for everything else.
***Set the Common Name (CN) to something like "ACME root certificate" and enter "." for everything else.
**<code>$ openssl genrsa -out server.key 2048</code>
**<code>$ openssl req -new -sha256 -newkey rsa:2048 -nodes -out server.csr -keyout server.key</code>
**<code>$ openssl req -new -key server.key -out server.csr</code>
***Set the Common Name (CN) to the FQDN and enter "." for everything else.
**<code>$ openssl x509 -req -sha256 -in server.csr -CA myCA.crt -CAkey myCA.key -CAcreateserial -out server.crt -days 10000</code>
**<code>$ openssl x509 -req -sha256 -in server.csr -CA myCA.crt -CAkey myCA.key -CAcreateserial -out server.crt -days 10000</code>
*Put files <code>server.crt</code> and <code>server.key</code> to <code>/etc/httpd/</code> (on Slackware) and set their permissions to 400.
*Put files <code>server.crt</code> and <code>server.key</code> to <code>/etc/httpd/</code> (on Slackware) and set their permissions to 400.


[[Category: Linux]]
[[Category: Linux]]

Latest revision as of 14:00, 23 November 2016

This is outdated. Better use Let’s Encrypt!

  • There are 2 possibilities:
  1. to self-sign a server certificate or
  2. make a CA (Certificate Authority) and sign a server certificate with it
  • Without a CA:
    • $ openssl req -new -x509 -sha256 -newkey rsa:2048 -days 10000 -nodes -out server.crt -keyout server.key
    • Set the Common Name (CN) to the FQDN and enter "." for everything else.
  • Creating a CA and sign a server certificate with it:
    • $ openssl req -new -x509 -sha256 -newkey rsa:2048 -days 10000 -nodes -out myCA.crt -keyout myCA.key
      • Set the Common Name (CN) to something like "ACME root certificate" and enter "." for everything else.
    • $ openssl req -new -sha256 -newkey rsa:2048 -nodes -out server.csr -keyout server.key
      • Set the Common Name (CN) to the FQDN and enter "." for everything else.
    • $ openssl x509 -req -sha256 -in server.csr -CA myCA.crt -CAkey myCA.key -CAcreateserial -out server.crt -days 10000
  • Put files server.crt and server.key to /etc/httpd/ (on Slackware) and set their permissions to 400.
Retrieved from "https://alik.ejik.org/index.php?title=Creating_a_self-signed_SSL_certificate&oldid=1658"