Faruque Ahmed : MCP, MCSA, MCSE, MCTS, MCIT, CCNA, OCA, OCP, GCP

SSL(Self Signed)

LL
Create SSL Certificate (Self Signed)

dnf -y install openssl cyrus* mod_ssl

[root@mail ~]# vi /etc/ssl/openssl.cnf# add to the end# section name is any name you like# DNS:(this server's hostname)# if you set multiple hostname ot domainname, set them with comma separated# ⇒ DNS:dlp.srv.world, DNS:www.srv.world[ mail.worldcm.net ]subjectAltName = DNS:mail.worldcm.net

[root@mail ~]# cd /etc/pki/tls/certs[root@dlp certs]# openssl genrsa -aes128 2048 > server.keyEnter PEM pass phrase: # set passphraseVerifying - Enter PEM pass phrase: # confirm

# remove passphrase from private key[root@mail]# openssl rsa -in server.key -out server.keyEnter pass phrase for server.key: # input passphrasewriting RSA key

[root@mail]# openssl req -utf8 -new -key server.key -out server.csr
Country Name (2 letter code) [XX]: BDState or Province Name (full name) []: DhakaLocality Name (eg, city) [Default City]: DhakaOrganization Name (eg, company) [Default Company Ltd]: World Communication Network Ltd.Organizational Unit Name (eg, section) []: worldcm.netCommon Name (eg, your name or your server's hostname) []: mail.worldcm.netEmail Address []: root@worldcm.netPlease enter the following 'extra' attributes to be sent with your certificate request A challenge password []: world1234 An optional company name []: worldcm

create certificate with 10 years expiration date# -extensions (section name) ⇒ the section name you set in [openssl.cnf][root@dlp certs]# openssl x509 -in server.csr -out server.crt -req -signkey server.key -extfile /etc/ssl/openssl.cnf -extensions mail.worldcm.net -days 3650[root@dlp certs]# chmod 600 server.key[root@dlp certs]# ll server.*-rw-r--r--. 1 root root 1334 Jan 18 19:08 server.crt-rw-r--r--. 1 root root 1062 Jan 18 19:06 server.csr-rw-------. 1 root root 1704 Jan 18 19:06 server.key

[root@mail ~]# vi /etc/dovecot/conf.d/10-ssl.conf# line 8: change ssl = yes# line 14,15: specify certificates#ssl_cert = </etc/pki/dovecot/certs/dovecot.pem#ssl_key = </etc/pki/dovecot/private/dovecot.pem OR ssl_cert = </etc/pki/tls/certs/server.crt ssl_key = </etc/pki/tls/certs/server.key

# vi /etc/postfix/main.cf

##SASLsmtpd_sasl_auth_enable = yessmtpd_sasl_type = dovecotsmtpd_sasl_path = private/authsmtpd_sasl_security_options = noanonymousbroken_sasl_auth_clients = yessmtpd_sasl_authenticated_header = yes
##SSLsmtpd_use_tls = yessmtpd_tls_cert_file = /etc/pki/tls/certs/server.crtsmtpd_tls_key_file = /etc/pki/tls/certs/server.keysmtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache

# vi /etc/postfix/master.cf

smtp inet n - n - - smtpd -o content_filter=spamassassin#smtp inet n - n - 1 postscreen#smtpd pass - - n - - smtpd#dnsblog unix - - n - 0 dnsblog#tlsproxy unix - - n - 0 tlsproxysubmission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=$mua_client_restrictions# -o smtpd_helo_restrictions=$mua_helo_restrictions# -o smtpd_sender_restrictions=$mua_sender_restrictions# -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATINGsmtps inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=$mua_client_restrictions# -o smtpd_helo_restrictions=$mua_helo_restrictions# -o smtpd_sender_restrictions=$mua_sender_restrictions# -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING#628 inet n - n - - qmqpd

---------------------------------------------------------------------

systemctl enable saslauthd systemctl restart saslauthd systemctl restart postfix systemctl restart dovecot

-----------------------------------------------xxx--------------------------------------------------

Steps

Generate a private key for the CA (Certificate Authority).
Generate a certificate signing request for the CA.
Generate a root certificate.
Create a private key for the certificate.
Create a certificate signing request.
Create a certificate and sign it with the CA private key.
Installing the SSL certificate.

# openssl ecparam -out server.key -name prime256v1 -genkey# openssl req -new -sha256 -key server.key -out server.csr

The above command will ask for the below information if needed you can provide them or you can just hit enter and skip them but it is recommended to give the meaningful details.
- Country Name.
- State Name.
- Organization.
- Comman name (Leave this as blank or provide the company domain not the faveo domain)
- Email address.
The above command will save a file in the name faveoroot.csr in the SSL directory.

# openssl x509 -req -sha256 -days 3650 -in server.csr -signkey server.key -out serverCA.crt# openssl ecparam -out private.key -name prime256v1 -genkey# openssl req -new -sha256 -key private.key -out serverlocal.csr

It will ask for the details as below we should give the details as shown below.
- Country Name.
- State Name.
- Organization.
- Common name (Here please provide the Domain or the IP through which you need to access faveo)).
- Email address.
The rest can be left blank and after this is completed it will create the CSR file and save it with the name faveolocal.csr in the SSL directory.

# openssl x509 -req -in serverlocal.csr -CA serverCA.crt -CAkey server.key -CAcreateserial -out serverlocal.crt -days 3650 -sha256
# dnf install mod_ssl# systemctl restart httpd

# cp serverlocal.crt /etc/pki/tls/certs# cp private.key /etc/pki/tls/private# cp serverCA.crt /etc/pki/ca-trust/source/anchors/

Then adding the Virtual host file, for that we need to create a file in webserver directory as /etc/httpd/conf.d/server-ssl.conf.

<IfModule mod_ssl.c>        <VirtualHost *:443>                ServerAdmin ---DomainName or IP---
                DocumentRoot /var/www/server/public
                ErrorLog ${APACHE_LOG_DIR}/error.log                CustomLog ${APACHE_LOG_DIR}/access.log combined
                SSLEngine on
                SSLCertificateFile /etc/pki/tls/certs/serverlocal.crt                SSLCertificateKeyFile /etc/pki/tls/private/private.key
                <FilesMatch "\.(cgi|shtml|phtml|php)$">                                SSLOptions +StdEnvVars                </FilesMatch>                <Directory /usr/lib/cgi-bin>                                SSLOptions +StdEnvVars                </Directory>
        </VirtualHost></IfModule>

After Creating the Virtual Host file we need to add the local host for the domain.

# update-ca-trust extract
# vi /etc/hosts127.0.0.1 ---Domain or IP---

After the above is done then we need to add the the ca-cert file path to the php.ini file add the path to the openssl.cafile like this : “openssl.cafile = “/etc/pki/tls/certs/ca-bundle.crt”

Self-Signed SSL Certificate on AlmaLinux

Install OpenSSL (if not already installed)

OpenSSL is a robust tool for managing SSL/TLS certificates. Verify whether it is installed on your system:

openssl version

If OpenSSL is not installed, install it using the following command:

dnf install openssl -y

Step 2: Create a Directory for SSL Certificates

It’s good practice to organize your SSL certificates in a dedicated directory. Create one if it doesn’t exist:

mkdir -p /etc/ssl/self-signed

Navigate to the directory:

cd /etc/ssl/self-signed

Step 3: Generate a Private Key

The private key is a crucial component of an SSL certificate. It should be kept confidential to maintain security. Run the following command to generate a 2048-bit RSA private key:

openssl genrsa -out private.key 2048

This will create a file named private.key in the current directory.

For enhanced security, consider generating a 4096-bit key:

openssl genrsa -out private.key 4096

Step 4: Create a Certificate Signing Request (CSR)

A CSR contains information about your organization and domain. Run the following command:

openssl req -new -key private.key -out certificate.csr

You will be prompted to enter details such as:

Country Name (e.g., US)
State or Province Name (e.g., California)
Locality Name (e.g., San Francisco)
Organization Name (e.g., MyCompany)
Organizational Unit Name (e.g., IT Department)
Common Name (e.g., example.com or *.example.com for a wildcard certificate)
Email Address (optional)

Ensure the Common Name matches your domain or IP address.

Step 5: Generate the Self-Signed Certificate

Once the CSR is created, you can generate a self-signed certificate:

openssl x509 -req -days 365 -in certificate.csr -signkey private.key -out certificate.crt

Here:

-days 365 specifies the validity of the certificate (1 year). Adjust as needed.
certificate.crt is the output file containing the self-signed certificate.

Step 6: Verify the Certificate

To ensure the certificate was created successfully, inspect its details:

openssl x509 -in certificate.crt -text -noout

This command displays details such as the validity period, issuer, and subject.

Step 7: Configure Applications to Use the Certificate

After generating the certificate and private key, configure your applications or web server (e.g., Apache, Nginx) to use them.

For Apache

Edit your site’s configuration file (e.g., /etc/httpd/conf.d/ssl.conf or a virtual host file).

sudo nano /etc/httpd/conf.d/ssl.conf

Copy
Update the SSLCertificateFile and SSLCertificateKeyFile directives:

SSLCertificateFile /etc/ssl/self-signed/certificate.crtSSLCertificateKeyFile /etc/ssl/self-signed/private.key

Copy
Restart Apache:

sudo systemctl restart httpd

Copy

For Nginx

Edit your site’s server block file (e.g., /etc/nginx/conf.d/your_site.conf).

sudo nano /etc/nginx/conf.d/your_site.conf

Copy
Update the ssl_certificate and ssl_certificate_key directives:

ssl_certificate /etc/ssl/self-signed/certificate.crt;ssl_certificate_key /etc/ssl/self-signed/private.key;

Copy
Restart Nginx:

sudo systemctl restart nginx

Copy

Step 8: Test the SSL Configuration

Use tools like curl or a web browser to verify your application is accessible via HTTPS:

curl -k https://your_domain_or_ip

Copy

The -k option bypasses certificate verification, which is expected for self-signed certificates.

Optional - Automating Certificate Renewal

# cd /etc/ssl/self-signed/

[root@mail self-signed]# openssl x509 -req -days 365 -in certificate.csr -signkey private.key -out certificate.crt

Certificate request self-signature ok

subject=C=BD, ST=Dhaka, L=Dhaka, O=World Group Limited, OU=worldcm.net, CN=mail.worldcm.net, emailAddress=root@worldcm.net

Since self-signed certificates have a fixed validity, automate renewal by scheduling a script with cron. For example:

Create a script:

# vi /usr/local/bin/renew_self_signed_ssl.sh

Add the following content:

#
#!/bin/bashopenssl req -new -key /etc/ssl/self-signed/private.key -out /etc/ssl/self-signed/certificate.csr -subj "/C=BD/ST=Dhaka/L=Dhaka/O=World CM Ltd/OU=worldcm.net/CN=mail.worldcm.net"openssl x509 -req -days 365 -in /etc/ssl/self-signed/certificate.csr -signkey /etc/ssl/self-signed/private.key -out /etc/ssl/self-signed/certificate.crtsystemctl reload nginx

Make it executable:

chmod +x /usr/local/bin/renew_self_signed_ssl.sh

Schedule it in crontab:

crontab -e

Add an entry to run the script annually:

0 0 1 1 * /usr/local/bin/renew_self_signed_ssl.sh

Page updated

Google Sites

Report abuse