LLCreate SSL Certificate (Self Signed)dnf -y install openssl cyrus* mod_ssl [root@mail ~]# vi /etc/ssl/openssl.cnf# add to the end# section name is any name you like# DNS:(this server's hostname)# if you set multiple hostname ot domainname, set them with comma separated# ⇒ DNS:dlp.srv.world, DNS:www.srv.world[ mail.worldcm.net ]subjectAltName = DNS:mail.worldcm.net[root@mail ~]# cd /etc/pki/tls/certs[root@dlp certs]# openssl genrsa -aes128 2048 > server.keyEnter PEM pass phrase: # set passphraseVerifying - Enter PEM pass phrase: # confirm# remove passphrase from private key[root@mail]# openssl rsa -in server.key -out server.keyEnter pass phrase for server.key: # input passphrasewriting RSA key[root@mail]# openssl req -utf8 -new -key server.key -out server.csrCountry Name (2 letter code) [XX]: BDState or Province Name (full name) []: DhakaLocality Name (eg, city) [Default City]: DhakaOrganization Name (eg, company) [Default Company Ltd]: World Communication Network Ltd.Organizational Unit Name (eg, section) []: worldcm.netCommon Name (eg, your name or your server's hostname) []: mail.worldcm.netEmail Address []: root@worldcm.netPlease enter the following 'extra' attributes to be sent with your certificate request A challenge password []: world1234 An optional company name []: worldcmcreate certificate with 10 years expiration date# -extensions (section name) ⇒ the section name you set in [openssl.cnf][root@dlp certs]# openssl x509 -in server.csr -out server.crt -req -signkey server.key -extfile /etc/ssl/openssl.cnf -extensions mail.worldcm.net -days 3650[root@dlp certs]# chmod 600 server.key[root@dlp certs]# ll server.*-rw-r--r--. 1 root root 1334 Jan 18 19:08 server.crt-rw-r--r--. 1 root root 1062 Jan 18 19:06 server.csr-rw-------. 1 root root 1704 Jan 18 19:06 server.key[root@mail ~]# vi /etc/dovecot/conf.d/10-ssl.conf# line 8: change ssl = yes# line 14,15: specify certificates#ssl_cert = </etc/pki/dovecot/certs/dovecot.pem#ssl_key = </etc/pki/dovecot/private/dovecot.pem OR ssl_cert = </etc/pki/tls/certs/server.crt ssl_key = </etc/pki/tls/certs/server.key# vi /etc/postfix/main.cf
##SASLsmtpd_sasl_auth_enable = yessmtpd_sasl_type = dovecotsmtpd_sasl_path = private/authsmtpd_sasl_security_options = noanonymousbroken_sasl_auth_clients = yessmtpd_sasl_authenticated_header = yes##SSLsmtpd_use_tls = yessmtpd_tls_cert_file = /etc/pki/tls/certs/server.crtsmtpd_tls_key_file = /etc/pki/tls/certs/server.keysmtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache# vi /etc/postfix/master.cf
smtp inet n - n - - smtpd -o content_filter=spamassassin#smtp inet n - n - 1 postscreen#smtpd pass - - n - - smtpd#dnsblog unix - - n - 0 dnsblog#tlsproxy unix - - n - 0 tlsproxysubmission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=$mua_client_restrictions# -o smtpd_helo_restrictions=$mua_helo_restrictions# -o smtpd_sender_restrictions=$mua_sender_restrictions# -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATINGsmtps inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=$mua_client_restrictions# -o smtpd_helo_restrictions=$mua_helo_restrictions# -o smtpd_sender_restrictions=$mua_sender_restrictions# -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING#628 inet n - n - - qmqpd--------------------------------------------------------------------- systemctl enable saslauthd systemctl restart saslauthd systemctl restart postfix systemctl restart dovecot-----------------------------------------------xxx--------------------------------------------------- Generate a private key for the CA (Certificate Authority).
- Generate a certificate signing request for the CA.
- Generate a root certificate.
- Create a private key for the certificate.
- Create a certificate signing request.
- Create a certificate and sign it with the CA private key.
- Installing the SSL certificate.
# openssl ecparam -out server.key -name prime256v1 -genkey# openssl req -new -sha256 -key server.key -out server.csr- The above command will ask for the below information if needed you can provide them or you can just hit enter and skip them but it is recommended to give the meaningful details.
- Country Name.
- State Name.
- Organization.
- Comman name (Leave this as blank or provide the company domain not the faveo domain)
- Email address.
- The above command will save a file in the name faveoroot.csr in the SSL directory.
# openssl x509 -req -sha256 -days 3650 -in server.csr -signkey server.key -out serverCA.crt# openssl ecparam -out private.key -name prime256v1 -genkey# openssl req -new -sha256 -key private.key -out serverlocal.csr- It will ask for the details as below we should give the details as shown below.
- Country Name.
- State Name.
- Organization.
- Common name (Here please provide the Domain or the IP through which you need to access faveo)).
- Email address.
- The rest can be left blank and after this is completed it will create the CSR file and save it with the name faveolocal.csr in the SSL directory.
# openssl x509 -req -in serverlocal.csr -CA serverCA.crt -CAkey server.key -CAcreateserial -out serverlocal.crt -days 3650 -sha256 # dnf install mod_ssl# systemctl restart httpd# cp serverlocal.crt /etc/pki/tls/certs# cp private.key /etc/pki/tls/private# cp serverCA.crt /etc/pki/ca-trust/source/anchors/<IfModule mod_ssl.c> <VirtualHost *:443> ServerAdmin ---DomainName or IP--- DocumentRoot /var/www/server/public ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine on SSLCertificateFile /etc/pki/tls/certs/serverlocal.crt SSLCertificateKeyFile /etc/pki/tls/private/private.key <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> </VirtualHost></IfModule>After Creating the Virtual Host file we need to add the local host for the domain.
# update-ca-trust extract# vi /etc/hosts127.0.0.1 ---Domain or IP---Self-Signed SSL Certificate on AlmaLinux
Install OpenSSL (if not already installed)
OpenSSL is a robust tool for managing SSL/TLS certificates. Verify whether it is installed on your system:
openssl versionIf OpenSSL is not installed, install it using the following command:
dnf install openssl -yStep 2: Create a Directory for SSL Certificates
It’s good practice to organize your SSL certificates in a dedicated directory. Create one if it doesn’t exist:
mkdir -p /etc/ssl/self-signedNavigate to the directory:
cd /etc/ssl/self-signedStep 3: Generate a Private Key
The private key is a crucial component of an SSL certificate. It should be kept confidential to maintain security. Run the following command to generate a 2048-bit RSA private key:
openssl genrsa -out private.key 2048This will create a file named private.key in the current directory.
For enhanced security, consider generating a 4096-bit key:
openssl genrsa -out private.key 4096Step 4: Create a Certificate Signing Request (CSR)
A CSR contains information about your organization and domain. Run the following command:
openssl req -new -key private.key -out certificate.csrYou will be prompted to enter details such as:
Country Name (e.g., US)
State or Province Name (e.g., California)
Locality Name (e.g., San Francisco)
Organization Name (e.g., MyCompany)
Organizational Unit Name (e.g., IT Department)
Common Name (e.g., example.com or *.example.com for a wildcard certificate)
Email Address (optional)
Ensure the Common Name matches your domain or IP address.
Step 5: Generate the Self-Signed Certificate
Once the CSR is created, you can generate a self-signed certificate:
openssl x509 -req -days 365 -in certificate.csr -signkey private.key -out certificate.crtHere:
Step 6: Verify the Certificate
To ensure the certificate was created successfully, inspect its details:
openssl x509 -in certificate.crt -text -nooutThis command displays details such as the validity period, issuer, and subject.
Step 7: Configure Applications to Use the Certificate
After generating the certificate and private key, configure your applications or web server (e.g., Apache, Nginx) to use them.
For Apache
Edit your site’s configuration file (e.g., /etc/httpd/conf.d/ssl.conf or a virtual host file).
sudo nano /etc/httpd/conf.d/ssl.conf
Copy
Update the SSLCertificateFile and SSLCertificateKeyFile directives:
SSLCertificateFile /etc/ssl/self-signed/certificate.crtSSLCertificateKeyFile /etc/ssl/self-signed/private.key
Copy
Restart Apache:
sudo systemctl restart httpd
Copy
For Nginx
Edit your site’s server block file (e.g., /etc/nginx/conf.d/your_site.conf).
sudo nano /etc/nginx/conf.d/your_site.conf
Copy
Update the ssl_certificate and ssl_certificate_key directives:
ssl_certificate /etc/ssl/self-signed/certificate.crt;ssl_certificate_key /etc/ssl/self-signed/private.key;
Copy
Restart Nginx:
sudo systemctl restart nginx
Copy
Step 8: Test the SSL Configuration
Use tools like curl or a web browser to verify your application is accessible via HTTPS:
curl -k https://your_domain_or_ipCopy
The -k option bypasses certificate verification, which is expected for self-signed certificates.
Optional - Automating Certificate Renewal
# cd /etc/ssl/self-signed/[root@mail self-signed]# openssl x509 -req -days 365 -in certificate.csr -signkey private.key -out certificate.crt
Certificate request self-signature ok
subject=C=BD, ST=Dhaka, L=Dhaka, O=World Group Limited, OU=worldcm.net, CN=mail.worldcm.net, emailAddress=root@worldcm.net
Since self-signed certificates have a fixed validity, automate renewal by scheduling a script with cron. For example:
Create a script:
# vi /usr/local/bin/renew_self_signed_ssl.shAdd the following content:
##!/bin/bashopenssl req -new -key /etc/ssl/self-signed/private.key -out /etc/ssl/self-signed/certificate.csr -subj "/C=BD/ST=Dhaka/L=Dhaka/O=World CM Ltd/OU=worldcm.net/CN=mail.worldcm.net"openssl x509 -req -days 365 -in /etc/ssl/self-signed/certificate.csr -signkey /etc/ssl/self-signed/private.key -out /etc/ssl/self-signed/certificate.crtsystemctl reload nginx- Make it executable:
chmod +x /usr/local/bin/renew_self_signed_ssl.shSchedule it in crontab:
crontab -eAdd an entry to run the script annually:
0 0 1 1 * /usr/local/bin/renew_self_signed_ssl.sh
LL