In this tutorial we will go through on how to generate Self-signed SSL certificates on Rocky Linux 8 or 9. Web communication between the web server and the client’s web browser is protected by security protocols called TLS (Transport Layer Security) and SSL (Secure Sockets Layer). They are typically employed to safeguard private information, login passwords, credit card information, and other sensitive data. A self-signed SSL certificate, in contrast to other kinds, is one that has been personally signed by the certificate owner. Self-signed SSL certificates are often used for local web server testing and are completely free.
Pre-requisite
- A Rocky Linux Host 8 or 9 . You may refer How to Install Rocky Linux
- User with sudo privileges
Installing OpenSSL Packages
To create a self-signed certificate, first install the OpenSSL toolkit on your PC or server.
If it’s not installed, use the following command to install it:
dnf install openssl -yVerify the packages after installation
rpm -qa opensslYou may see thee output as below (example)
openssl-1.1.1k-5.el8_5.x86_64You may refer the Official Website for OpenSSL
Generate Private Keys
To activate encryption, you must first establish a private key.
Let’s use the following command to generate a 2048-bit RSA private key that is password-protected:
openssl genrsa -des3 -out private.key 2048It will prompt you for the password
Generating RSA private key, 2048 bit long modulus (2 primes)
...........................................................+++++
..+++++
e is 65537 (0x010001)
Enter pass phrase for private.key:
Verifying - Enter pass phrase for private.key:Check the content of the private key
cat private.keySample Output
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,E0C0E24222815CE0
ZWzirTOp+UGRSc44dbm0iW5R0gCXxd3C2LwwGbTKaSRxB5sQUurFvFP5ilCuywoR
lNvz3Bd9vCPFnR8pVw355FLpc9qxLsxjweXXUaDjDg+W3s21hQqaWXOQLXjKvA2c
W3cC9eMApgo8l1mG+a3fFIj/UAFElhmMLSnqdK2tH/gjpDbZUtaZcywqB7UW20tU
uCyJN0T/rSHPCQ1w/7LvnK1e0cAn0ZEOHzdsdcbjYeBuRfv/oSHQAsSkmFxTZQCq
p02gAiexddciXiTlDTp24Tr7Fp4BMkBktE2BX95ZjXY8dbidBSrnZki8RbxZwNeq
..
..<Skipping Lines>
..
/mxXWA8uVwEqonFx6CrAe1oOnuDObP5uC5ikPf3GnBDk2wf8pt0VteIJVCd6Pamy
-----END RSA PRIVATE KEY-----Certificate Signing Request
If you would then like your certificate to be signed, you will require a certificate signing request (CSR). CSR contains details on the nation, organization, and public key.
A CSR named server can be server.csr with your private key, as seen beneath:
openssl req -key private.key -new -out server.csrTo finish the procedure, you will be required to enter your private key password and some CSR data, as seen below:
Enter pass phrase for private.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:KA
Locality Name (eg, city) [Default City]:BANGALORE
Organization Name (eg, company) [Default Company Ltd]:LinuxQuery
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:server.linuxquery.org
Email Address []:itadmin@linuxquery-org
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:Generate a Self-Signed Certificate
A certificate that has been signed using its own private key is known as a self-signed certificate. It is applied to data encryption.
With the private key and CSR, you may generate a self-signed certificate called server.crt, as demonstrated below:
openssl x509 -signkey private.key -in server.csr -req -days 365 -out server.crtSample Output
Signature ok
subject=C = IN, ST = KA, L = BANGALORE, O = LinuxQuery, OU = IT, CN = server.linuxquery.org, emailAddress = itadmin@linuxquery.org
Getting Private key
Enter pass phrase for private.key:You may now see the contents of your certificate in plain text by using the OpenSSL command:
openssl x509 -text -noout -in server.crtSample Output
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
6f:bd:1d:8d:be:52:8e:9b:ba:74:29:0c:e7:15:2b:01:42:5c:66:8d
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = IN, ST = KA, L = BANGALORE, O = LinuxQuery, OU = IT, CN = server, emailAddress = itadmin@linuxquery.org
Validity
Not Before: Jan 15 11:42:36 2024 GMT
Not After : Jan 15 11:42:36 2025 GMT
Subject: C = IN, ST = KA, L = BANGALORE, O = LinuxQuery, OU = IT, CN = server, emailAddress = itadmin@linuxquery.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b1:d0:e3:36:46:64:4c:70:b6:24:bf:f7:5f:9a:
8a:5c:bd:89:b8:f0:b8:56:51:e5:f6:e5:ed:d1:6c:
cc:89:7a:97:c3:15:89:98:9a:df:74:e1:a1:2e:da:
12:7c:a2:64:d6:62:1b:55:85:94:dc:5c:10:89:63:
de:bd:f7:e2:56:68:7a:3c:48:88:7a:fd:d5:df:12:
8e:28:28:d6:77:5b:2d:51:53:84:f9:c3:d2:a7:db:
6f:2d:88:00:e0:b1:93:f8:a4:66:df:03:17:c4:5a:
9c:49:37:86:bf:34:c0:83:94:1f:aa:1b:a4:55:09:
b3:75:b1:68:de:5c:1a:75:12:fb:65:4a:31:c9:f3:
34:93:b5:eb:1b:93:01:77:e2:ba:27:7c:62:9c:65:
e7:49:37:1d:97:40:44:c0:f8:38:54:52:8c:69:3d:
b5:d6:d5:90:16:45:83:a4:16:49:5e:cc:8d:da:dd:
1a:22:0d:26:f6:ef:b0:b4:8c:5b:8c:b4:bf:7d:cc:
48:98:a6:db:7d:78:cc:3d:5e:66:69:ca:c5:74:95:
e3:21:84:6c:e1:87:b1:08:b4:26:24:84:3f:75:7b:
fb:ee:36:4d:90:91:82:8d:35:ea:15:8e:95:6f:7c:
e8:7b:71:ff:aa:d0:bb:46:b2:35:30:14:03:ba:ac:
05:8b
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
64:d1:11:03:64:89:12:29:e8:e8:a5:7c:03:5b:c3:f8:61:56:
e2:d3:f5:4c:79:4b:e6:19:84:c8:5a:69:57:50:a0:78:0c:57:
aa:5a:17:88:54:8c:3d:61:1c:f0:30:e6:41:31:e6:52:5c:d2:
84:f2:dd:da:a2:f4:42:7b:a0:c3:c7:80:3a:32:ab:10:15:c7:
f5:e1:7d:7f:68:1a:89:35:c8:71:10:c0:03:5b:d7:ce:60:d9:
55:e7:44:15:e2:e4:7e:db:65:5b:34:1b:fe:2b:1f:c7:b1:e5:
2a:e7:28:05:1b:02:81:92:8b:b7:3e:28:78:20:68:e4:68:ac:
e5:a2:21:e8:31:de:59:64:9b:c8:6a:16:9a:43:9c:52:0a:cf:
2d:c2:91:bf:9b:49:64:37:a7:00:60:28:e9:38:ae:35:d3:c6:
b6:6e:fc:f3:81:cc:a2:f4:2e:50:80:d8:27:cf:f1:3d:4d:19:
e9:a1:c8:61:8f:b6:28:c5:93:93:75:94:c3:f3:6b:d2:48:8f:
8b:3e:53:56:76:ab:fc:a9:9c:be:17:59:b4:db:c5:9c:96:6d:
49:3e:98:5a:d3:c8:03:2e:03:47:2c:1b:84:ee:b0:2f:ae:43:
e9:49:42:4f:79:01:04:99:4a:8a:78:27:f8:f9:61:8d:73:47:
49:75:58:d3Conclusion
In this article, we covered how to use the OpenSSL tool to create a self-signed SSL certificate. Now that it’s available, you may set up the webservers Apache or Nginx to use it and protect client-server communication.