SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are security protocols used to secure web traffic between the web server and the client’s web browser. Generally, they are used to protect confidential data such as credit card data, login credentials, and other private information. Unlike other types of SSL certificates, a self-signed SSL certificate is a certificate signed by an individual who owns it. Typically, self-signed SSL certificates are totally free and are used for testing purposes on the locally hosted web server.
In this post, we will show you how to generate a self-signed SSL certificate in Rocky Linux 8.
Install OpenSSL
Before starting, the OpenSSL toolkit must be installed on your server or desktop to generate a self-signed certificate.
If not installed, you can install it by running the following command:
dnf install openssl -y
Once installed, verify the OpenSSL version with the following command.
rpm -qa openssl
You will get the following output:
openssl-1.1.1k-5.el8_5.x86_64
Also Read
How to Secure LEMP Server with Let’s Encrypt Free SSL on Ubuntu 18.04 VPS
Generate a Private Key
First, you will need to create a private key to enable encryption.
Let’s create a password protected 2048-bit RSA private key using the following command:
openssl genrsa -des3 -out private.key 2048
You will be asked to provide a password as shown below:
Generating RSA private key, 2048 bit long modulus (2 primes) ...........................................................+++++ ..+++++ e is 65537 (0x010001) Enter pass phrase for private.key: Verifying - Enter pass phrase for private.key:
You can see the content of the private key using the following command:
cat private.key
You should see the following output:
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,E0C0E24222815CE0 ZWzirTOp+UGRSc44dbm0iW5R0gCXxd3C2LwwGbTKaSRxB5sQUurFvFP5ilCuywoR lNvz3Bd9vCPFnR8pVw355FLpc9qxLsxjweXXUaDjDg+W3s21hQqaWXOQLXjKvA2c W3cC9eMApgo8l1mG+a3fFIj/UAFElhmMLSnqdK2tH/gjpDbZUtaZcywqB7UW20tU uCyJN0T/rSHPCQ1w/7LvnK1e0cAn0ZEOHzdsdcbjYeBuRfv/oSHQAsSkmFxTZQCq p02gAiexddciXiTlDTp24Tr7Fp4BMkBktE2BX95ZjXY8dbidBSrnZki8RbxZwNeq Lr/cracFZ4h+sxac3/Pn25DcZEVyJKTmybypuNea63tsJrU0eHs7rfYqXcnyfhRg PrlPSWUPFwx3yuRkgZfo1OXcR1vuhKpvIOOm3awa3WyXb5t9PNwv/FeT2Ta1guTj NksxFEVCP8ven2VxLWD1ESf/oUE9jYmWDXxIU+xrgrVW5Bklv6A/EewR8T/oZsYB ap/SgHbW2/KzXYWEoB4fcVdzonTwZNutDFw2p1dzNVz792IwPCFsrE6BnNkoyyXE DQJAVE99fKgXY9f4L9qZru3yYNd3lP1g+2PzkX1u/QN2Ggr0YiPEJdixWh7QxwC8 ANALCCKUSJTm02YewhJHE+eU/UIfa1GQGaEJ+Pwxx6CjJCzfU571SuZBDpmz07Cu FBlx1Qzzmn2SWbFiIlLCS84pEOsByw26p+NhHzKZAhKHHq4DKrNCnDEWOU95GbSn I0QIIdTuY+X2sKj9a26nkjs8kWb3GfDAf/3pNXynRapxepRtceSfKTWOsEDIGGLA pgnuBIT6NaZ7zIe7KeZpnzbK6dJsltji9uI9+zebNjoq6CND+TTprpPqATVSj+E9 8xS2BQSX5se6t47ierbP3Rx1LP95tayoYI9bPUHPaTSzrx2R43SZSa0r9JVq9gLl MRdXhd+qUh2eNbDSWk0F3DiKbhbi/B3WwQA9l7eq/OYgDPo2TxXoyDWJlmJ+LllF iVA9sUI21+aJE4I+5BXQDz/dyLatuis+vAIpYCRSRcnsK7Y8ALe27NyViKO7ir7F gu+BGkcfAvZg2d/9G0IV+syRblW7OGvwphk+oy2Us0ggAh8BvoIp3ra9t62eOHCg rl784OEAW8w94WFzmCvmCLPzmXDUkwLIo06WmYzWhrEHhivzOc9W3WiJ9jlzBmR2 V9mWsNErytPUiEBhRm9c9i9ggrehN9PsYjEuOM3KYCbqneMXe4yH7wYlxJ70r3A0 0/cBxMyG/tlzgDqyhHV8tYEMFL9B3lqTsTWP/bfc2baTd4sstLrVESE+0f0BpeoI t6zKCOUe9tq4RBI+9selgPECwPhttJw4IKMuH9s7XAjaOiqP7TE8M79/VsgttGoJ /mxXWA8uVwEqonFx6CrAe1oOnuDObP5uC5ikPf3GnBDk2wf8pt0VteIJVCd6Pamy 6Hlb/eg9VtzQHpJBXOthjKGE1CGBw3rv/Q9eNaS8QhDUFQ09EkW6TBJVCI86QPX9 4tWhsj7DLHXN1Mt55unMjcb+tez+QXI7EgBySxBfycV2zbQ7odV6WZHEUCuZbJzV -----END RSA PRIVATE KEY-----
Generate a Certificate Signing Request
Next, you will need a certificate signing request (CSR) if you want your certificate signed. CSR includes information about the public key, country, and organization.
You can create a CSR named server.csr using your private key as shown below:
openssl req -key private.key -new -out server.csr
You will be asked to provide your private key password and some CSR information to complete the process as shown below:
Enter pass phrase for private.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:IN State or Province Name (full name) []:GUJ Locality Name (eg, city) [Default City]:AHMEDABAD Organization Name (eg, company) [Default Company Ltd]:Atlantic Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server's hostname) []:server Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Also Read
How to Change or Set User Password in Linux
Generate a Self-Signed Certificate
A self-signed certificate is a certificate that is signed by its own private key. It is used to encrypt data.
You can create a self-signed certificate named server.crt using the private key and CSR, as shown below:
openssl x509 -signkey private.key -in server.csr -req -days 365 -out server.crt
You should see the following output:
Signature ok subject=C = IN, ST = GUJ, L = AHMEDABAD, O = Atlantic, OU = IT, CN = server, emailAddress = [email protected] Getting Private key Enter pass phrase for private.key:
Note: The -days option specifies the number of days that the certificate will be valid.
You can now use the OpenSSL command to view the contents of your certificate in plain text:
openssl x509 -text -noout -in server.crt
You should see the certificate information in the following output:
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
6f:bd:1d:8d:be:52:8e:9b:ba:74:29:0c:e7:15:2b:01:42:5c:66:8d
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = IN, ST = GUJ, L = AHMEDABAD, O = Atlantic, OU = IT, CN = server, emailAddress = [email protected]
Validity
Not Before: Mar 15 11:42:36 2022 GMT
Not After : Mar 15 11:42:36 2023 GMT
Subject: C = IN, ST = GUJ, L = AHMEDABAD, O = Atlantic, OU = IT, CN = server, emailAddress = [email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b1:d0:e3:36:46:64:4c:70:b6:24:bf:f7:5f:9a:
8a:5c:bd:89:b8:f0:b8:56:51:e5:f6:e5:ed:d1:6c:
cc:89:7a:97:c3:15:89:98:9a:df:74:e1:a1:2e:da:
12:7c:a2:64:d6:62:1b:55:85:94:dc:5c:10:89:63:
de:bd:f7:e2:56:68:7a:3c:48:88:7a:fd:d5:df:12:
8e:28:28:d6:77:5b:2d:51:53:84:f9:c3:d2:a7:db:
6f:2d:88:00:e0:b1:93:f8:a4:66:df:03:17:c4:5a:
9c:49:37:86:bf:34:c0:83:94:1f:aa:1b:a4:55:09:
b3:75:b1:68:de:5c:1a:75:12:fb:65:4a:31:c9:f3:
34:93:b5:eb:1b:93:01:77:e2:ba:27:7c:62:9c:65:
e7:49:37:1d:97:40:44:c0:f8:38:54:52:8c:69:3d:
b5:d6:d5:90:16:45:83:a4:16:49:5e:cc:8d:da:dd:
1a:22:0d:26:f6:ef:b0:b4:8c:5b:8c:b4:bf:7d:cc:
48:98:a6:db:7d:78:cc:3d:5e:66:69:ca:c5:74:95:
e3:21:84:6c:e1:87:b1:08:b4:26:24:84:3f:75:7b:
fb:ee:36:4d:90:91:82:8d:35:ea:15:8e:95:6f:7c:
e8:7b:71:ff:aa:d0:bb:46:b2:35:30:14:03:ba:ac:
05:8b
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
64:d1:11:03:64:89:12:29:e8:e8:a5:7c:03:5b:c3:f8:61:56:
e2:d3:f5:4c:79:4b:e6:19:84:c8:5a:69:57:50:a0:78:0c:57:
aa:5a:17:88:54:8c:3d:61:1c:f0:30:e6:41:31:e6:52:5c:d2:
84:f2:dd:da:a2:f4:42:7b:a0:c3:c7:80:3a:32:ab:10:15:c7:
f5:e1:7d:7f:68:1a:89:35:c8:71:10:c0:03:5b:d7:ce:60:d9:
55:e7:44:15:e2:e4:7e:db:65:5b:34:1b:fe:2b:1f:c7:b1:e5:
2a:e7:28:05:1b:02:81:92:8b:b7:3e:28:78:20:68:e4:68:ac:
e5:a2:21:e8:31:de:59:64:9b:c8:6a:16:9a:43:9c:52:0a:cf:
2d:c2:91:bf:9b:49:64:37:a7:00:60:28:e9:38:ae:35:d3:c6:
b6:6e:fc:f3:81:cc:a2:f4:2e:50:80:d8:27:cf:f1:3d:4d:19:
e9:a1:c8:61:8f:b6:28:c5:93:93:75:94:c3:f3:6b:d2:48:8f:
8b:3e:53:56:76:ab:fc:a9:9c:be:17:59:b4:db:c5:9c:96:6d:
49:3e:98:5a:d3:c8:03:2e:03:47:2c:1b:84:ee:b0:2f:ae:43:
e9:49:42:4f:79:01:04:99:4a:8a:78:27:f8:f9:61:8d:73:47:
49:75:58:d3
Conclusion
In this post, we explained how to generate a self-signed SSL certificate using the OpenSSL utility. You can now configure Apache or Nginx webserver to use it and secure the communication between the web server and client. Try it on dedicated server hosting from Atlantic.Net!
