Generate a self-signed certificate under CentOS

1. to generate a self-signed certificate, you usually need to configure an https server and an X509 certificate that is authenticated by a formal CA. When the client connects to the https server, the CA's common key is used to check whether the certificate is correct. However, it is very troublesome to obtain the CA certificate, and it also costs a certain amount. Therefore

1. generate a self-signed certificate

Generally, the https server requires an X509 certificate certified by a formal CA. When the client connects to the https server, the CA's common key is used to check whether the certificate is correct. However, it is very troublesome to obtain the CA certificate, and it also costs a certain amount. Therefore, some small organizations usually use self-signed certificates. That is, you can create a CA and sign your server certificate.

There are two main steps in this process: first, generate your own CA certificate, and then generate the certificates of each server and sign them. I used OpenSSL to generate a self-signed certificate.

The first step is to create a CA certificate:

Openssl genrsa-des3-out my-ca.key 2048

Openssl req-new-x509-days 3650-key my-ca.key-out my-ca.crt

This generates a my-ca.key and a my-ca.crt file, which stores the key that is required to sign using a my-ca.crt and should be kept properly. The latter can be made public. The command above sets the validity period for the my-ca.key to 10 years.

Use commands

Openssl x509-in my-ca.crt-text-noout

You can view the contents of a my-ca.crt file.

With the CA certificate, you can generate a certificate for your server:

Openssl genrsa-des3-out mars-server.key 1024

Openssl req-new-key mars-server.key-out mars-server.csr

Openssl x509-req-in mars-server.csr-out mars-server.crt-sha1-CA my-ca.crt-CAkey my-ca.key-CAcreateserial-days 3650

The first two commands generate the key and csr file, and the last command creates an x509 signature certificate for the my-ca.crt through the mars-server.csr.

Note that when you execute the second command, the Common Name option should enter the server domain Name. Otherwise, an additional prompt will appear each time you access the server through https.

Use commands

Openssl x509-in mars-server.crt-text-noout

You can view the contents of a mars-server.crt file.

2. configure the Apache server

First, create the/etc/apache2/ssl directory and copy the my-ca.crt, mars-server.key, and mars-server.crt files you just created to this directory.

Then execute the command

A2emod ssl

Activate the SSL module of Apache and add a VM to/etc/apache2/sites-enable/. this process is similar to adding a common VM, the difference is that the host port should be 443. The configuration is as follows:

Namevirtualhost*: 443

ServerName localhost

DocumentRoot/var/www

SSLEngine On

SSLCipherSuite HIGH: MEDIUM

SSLProtocol all-SSLv2

SSLCertificateFile/etc/apache2/ssl/mars-server.crt.

SSLCertificateKeyFile/etc/apache2/ssl/mars-server.key.

SSLCACertificateFile/etc/apache2/ssl/my-ca.crt.

Order deny, allow

Allow from localhost

ServerName localhost

DocumentRoot/var/www

Order deny, allow

Allow from localhost

The preceding configuration ensures that users can see the same content when accessing ports 443 and 80, but only use different protocols. After you modify the configuration, you can restart the Apache server, then you need to enter the password of the mars-server.key. Access through a browser

Https: // localhost/

A dialog box is displayed, asking you to confirm whether you trust the certificate of the site. after selecting trust, you can view the content of the site.

Since most Apache servers are automatically started when the server is started, to avoid entering a password when Apache is started, you can use the following command to generate an unencrypted mars-server.key file:

Openssl rsa-in mars-server.key-out mars-server.key.insecure

Replace the original key file with the newly generated mars-server.key.insecure.