Server Security is very important and critical task of every system administrator. Security threats are very common in IT world. So It is importance that an administrator should employ some security on web servers to avoid security threats such as data theft etc. While connecting to any website over the internet, it is very important that your connections is secure.
To avoid such unencrypted data transfers, SSL certificates must be used. TLS (transport layer security) and its predecessor SSL (secure sockets layer) are the web protocols used to wrap normal traffic in a protected and encrypted wrapper. SSL is a protocol that is used to encrypt & secure our website traffic. SSL certificates are importance that now almost every web browsers show a warning if you are visiting a website that does not have a valid SSL certificate.
The SSL certificate that is used to secure the websites on the Public internet uses SSL certificates that are signed by Certification Authorities (CA) such as DigiCert, GeoTrust, Sectigo etc but they charge some fee annually. But there are some CAs like Let’s Encrypt which provide SSL certificate for free but for a few months duration. But we might not require any of these paid SSL certificates if we are working in testing environment or for development purposes. There we can only use self-signed SSL certificates.
In this tutorial, we will discuss how to generate a self-signed ssl certificate using openssl in Linux. So let’s get started.
What is Self-Signed SSL Certificate?
A self-signed SSL certificate is signed by the person who generated it rather than a trusted certificate authority. Self-signed certificates can have the same level of encryption as the trusted CA-signed SSL certificate but web browsers do not recognize the self-signed certificates as valid. While using a self-signed certificate, a warning appears to the visitor in the web browser which indicates that the website certificate cannot be verified.
Typically, the self-signed certificates are used in testing and development environment. It is not recommended that you use a self-signed certificate in production systems that are exposed to the Internet.
Creating a Self-Signed SSL certificate using openssl
For generating a self-signed certificate in Linux, you need to have a packages called openssl & mod_ssl installed on our system. Openssl is installed by default on all Linux distributions. You can check whether openssl is installed using openssl version command and install mod_ssl package with the following command.
$ openssl version OpenSSL 1.0.2k-fips 26 Jan 2017 $ yum install mod_ssl
Now we can create the SSL certificate using the openssl command mentioned below,
$ openssl req -x509 -nodes -newkey rsa:4096 -sha256 -days 365 -out ssl-example.crt -keyout ssl-example.key
Let’s describe the command mentioned above,
- – newkey rsa:4096 : It creates a new certificate request and 4096 bit RSA key. The default is 2048 bits.
- – x509 : it creates a X.509 Certificate.
- – sha256 : Use 256-bit SHA (Secure Hash Algorithm).
- – days 365 : The number of days to certify the certificate for 365 days ie. one year. You can use any positive integer.
- – nodes : Creates a key with no passphrase.
- – out : Specifies the location of the newly created certificate. Here ssl-example.crt is the certificate name.
- – keyout : Specifies the location of the newly created private key. Here ssl-example.key is the private key name.
Once you hit Enter, the command will generate private key and ask you a series of questions. The information you provided is used to generate the certificate.
$ ls ssl-example.crt ssl-example.key
In this guide, we have shown you how to generate a self-signed SSL certificate using the openssl tool in Linux box. We will be discussing how we can install an SSL certificate in our Nginx as well as Apache in our future tutorials.
Read Also : How to install Nginx Web Server on RHEL/CentOS