Table of Contents

Introduction

Generating a Certificate Signing Request (CSR) for Secure Sockets Layer (SSL) Certificate in Linux are common on most of the Linux distributions. In case if we need a certificate for Apache service facing internet or an Internal FTP server in your organization required a secure file transfer by eliminating plain text transfer on your network. In the first place, we can’t ignore using SSL certificate since let’s encrypt made it available for free.

A Collaborative Project from Linux Foundation provided letsencrypt.org for free of cost, This can be used for any type of websites or in any place where you required to encrypt the communications. To create an SSL certificate first we need to generate a CSR file and submit with the certificate authority.

There are two types of certificates they are Self Signed Certificate and CA Authorized Certificate.

Self Signed Certificate

A self-signed certificate is one signed with its own private key because we don’t have a plan to signed by a CA.
Self-signed certificates are valid for 1 year we need to renew once it about to expire.
A local certificate authority server in your environment will help to create an SSL certificate to use with in the organization.
Can be used for any locally deployed applications and FTP servers etc.

Certificate Authorized CA

A trusted third party entity that issues digital certificates.
It Can be used on internet-facing servers for data encryption, Example website using HTTPS.
The validity period of the certificate depends on the plan we are choosing.
Required domain validation to issue any CA certificates.

Generate a Certificate Signing Request (CSR)

Navigate to below location. In case if you are creating for web server create a directory in any name location you wish.

# cd /etc/pki/tls/certs

Start to generate CSR by running OpenSSL command with options and arguments.

# openssl req -new -newkey rsa:2048 -nodes -keyout domain_name.com.key -out domain_name.com.csr

OPTIONS AND DESCRIPTIONS AS FOLLOWS

Options	Description
-new	New request
-newkey rsa:2048	To create a RSA key and certificate in one go with 2048 bit.
-nodes	Don’t encrypt the output key
-keyout outfile	File to send the key to domain_name.com.key
-days +int	Number of days cert is valid for
-out	Output file

Running the above command using interactive mode without manual intervention.

# openssl req -nodes -newkey rsa:2048 -keyout domain_name.com.key -out domain_name.com.csr -subj "/C=IN/ST=TamilNadu/L=Chennai/O=Linux Sysadmins/OU=IT/CN=linuxsysadmins.local/Street=Chennai 01"

In the above step we used “-nodes” which will not encrypt the output key. If you have not used the -nodes option we need to follow with below steps to remove the passphrase from the key file.

Removing Passphrase from the Key file

Removing Passphrase from the Key file, Make sure to back up the original file before making any changes.

# sudo cp -v /etc/pki/tls/certs/domain_name.com.{key,original}

Remove the passphrase from key-file and save the output in a new file.

# sudo openssl rsa -in /etc/pki/tls/certs/domain_name.com.original -out /etc/pki/tls/certs/domain_name.com.key

Once we removed the passphrase validate the new file and remove the backup file.

# sudo rm -v /etc/pki/tls/certs/domain_name.com.original

If you need to sign with a CA (Verisign)we need to submit above CSR with some providers to get the.CRT file in emails. If not and only you required inside your organization then follow with below steps.

Creating the “.crt” Certificate file

# sudo openssl x509 -req -days 365 -in /etc/pki/tls/certs/domain_name.com.csr -signkey /etc/pki/tls/certs/domain_name.com.key -out /etc/pki/tls/certs/domain_name.com.crt

OPTIONS AND DESCRIPTIONS AS FOLLOWS

Options	Description
X.509	Certificate Data Management.
-req	PKCS#10 X.509 Certificate Signing Request (CSR) Management.
-days	How long the certificate needs to be valid.
-in	Input file of csr
-signkey	self sign certificate key file
-out	Output of the final SSL certificate

Removing the CSR file

Now it’s time to remove the.CSR file. It’s safe to remove the.CSR after done with all above steps. Hereafter we required only “.CRT” and key files.

# sudo rm -v /etc/pki/tls/certs/domain_name.com.csr

Restrict permission for SSL Certificate:

Change the permission of SSL certificate to the only read and write by the root user.

# sudo chmod 600 /etc/pki/tls/certs/domain_name.com.crt.*

That’s it we have generated with a CSR file and submitted to CA for getting our SSL certificate.

Conclusion

To have secure communication between web server and visitors is most important by implementing an SSL certificate. We have gone through two types of certificates if you have any concern to add few points those are most welcome. Subscribe to our newsletter and stay with us.

jos on How to Configure Sudo email alertMarch 4, 2022
Hi! Some way to send commands write as root by email? Thanks!
paul on Monitoring Proxmox with InfluxDB and Grafana in 4 Easy stepsMarch 1, 2022
Tried 12966 per your example, got error "failed to import dashboard."
Anonymous on Migrate existing Iptables to Nftables in RHEL8/CentOSFebruary 27, 2022
I followed the procedures and successfully loaded some weird 8081 port configurations needed for the app, however I discovered it…
sy on Install Ansible AWX on Kubernetes in 5 minutesFebruary 17, 2022
tried many times - followed all steps but was unable to setup custom context I always get -> The connection…
Faraz Ahmed on Prometheus with Grafana for Linux server monitoring in 5 easy stepsFebruary 7, 2022
Hello Babin Lonston, Your tutorial is very helpful to me to Install the prometheus and nodeexporter on the server. Can…