Generate a self-signed certificate under CentOS

1. Generate a self-signed certificate

Generally, the https server requires an X509 Certificate certified by a formal CA. When the client connects to the https server, the CA's common key is used to check whether the certificate is correct. However, it is very troublesome to obtain the CA certificate, and it also costs a certain amount. Therefore, some small organizations usually use self-signed certificates. That is, you can create a CA and sign your server certificate.

There are two main steps in this process: first, generate your own CA certificate, and then generate the certificates of each server and sign them. I used OpenSSL to generate a self-signed certificate.

The first step is to create a CA certificate:

Opensslgenrsa-des3-outmy-ca.key2048

Opensslreq-new-x509-days3650-keymy-ca.key-outmy-ca.crt

This generates a my-ca.key and a my-ca.crt file, which stores the key that is required to sign using a my-ca.crt and should be kept properly. The latter can be made public. The command above sets the validity period for the my-ca.key to 10 years.

Use commands

Opensslx509-inmy-ca.crt-text-noout

You can view the contents of a my-ca.crt file.

With the CA certificate, you can generate a certificate for your server:

Opensslgenrsa-des3-outmars-server.key1024

Opensslreq-new-keymars-server.key-outmars-server.csr

Opensslx509-req-inmars-server.csr-outmars-server.crt-sha1-CAmy-ca.crt-CAkeymy-ca.key-CAcreateserial-days3650

The first two commands generate the key and csr file, and the last command creates an x509 signature certificate for the my-ca.crt through the mars-server.csr.

Note that when you execute the second command, the CommonName option should enter the server domain name. otherwise, an additional prompt will be displayed each time you access the server through the https protocol.

Use commands

Opensslx509-inmars-server.crt-text-noout

You can view the contents of a mars-server.crt file.

2. Configure the Apache server

First, create the/etc/apache2/ssl directory and copy the my-ca.crt, mars-server.key, and mars-server.crt files you just created to this directory.

Then execute the command

A2emodssl

Activate the SSL module of Apache and add a VM to/etc/apache2/sites-enable/. This process is similar to adding a common VM, the difference is that the host port should be 443. The configuration is as follows:

Namevirtualhost*: 443

<VirtualHost *: 443>

ServerNamelocalhost

DocumentRoot/var/www

SSLEngineOn

SSLCipherSuiteHIGH: MEDIUM

SSLProtocolall-SSLv2

SSLCertificateFile/etc/apache2/ssl/mars-server.crt.

SSLCertificateKeyFile/etc/apache2/ssl/mars-server.key.

SSLCACertificateFile/etc/apache2/ssl/my-ca.crt.

<Directory/var/www>

Orderdeny, allow

Allowfromlocalhost

</Directory>

</VirtualHost>

<VirtualHost *: 80>

ServerNamelocalhost

DocumentRoot/var/www

<Directory/var/www> Orderdeny, allow

Allowfromlocalhost

</Directory>

</VirtualHost>

The preceding configuration ensures that users can see the same content when accessing ports 443 and 80, but only use different protocols. After you modify the configuration, You can restart the Apache server, then you need to enter the password of the mars-server.key. Access through a browser

Https: // localhost/

A dialog box is displayed, asking you to confirm whether you trust the certificate of the site. After selecting trust, you can view the content of the site.

Since most Apache servers are automatically started when the server is started, to avoid entering a password when Apache is started, you can use the following command to generate an unencrypted mars-server.key file:

Opensslrsa-inmars-server.key-outmars-server.key.insecure

Replace the original key file with the newly generated mars-server.key.insecure.