First off, if you are designing a website for a client or your department that will be accessed by the public…please please do not use the self signed certificate method that I’m about talk about. By nature self-signed certificates cannot be revoked, so if your private key gets compromised the attacker can gain access to your system by spoofing an identity. I only use these for my development platforms that run on systems VM or in my home network. At the present I am solely running RHEL and CentOS in my home or work, the following should also work with other Linux environments – I don’t see how they couldn’t.
Before you can even start this process you need to have the crypto-utils library install on the system that will be generating the certification. Run the the following command under root.
yum install crypto-utils
After the installation has successfully installed you can then easily generate a self signed certification using the genkey wizard.
Now you can run the genkey command to create your self signed certification. You have the following options available to you:
- –test Test mode, skip random data creation, overwrite existing key
- –genreq Just generate a CSR from an existing key
- –makeca Generate a private CA key instead
- –days Days until expiry of self-signed certificate (default 30)
I generally like to run my certifications for 180days before I renew them
genkey myhost.local –days 180
The system will take you through a guided setup – (some of the steps are shown left, its like a flashback to the 90s…). Please note the location of the keys since you will need them if you setup your SSL configuration for apache or other service. Since this is not intended for the public I go with the default 1024 key size, and I do not send a Certificate Request to a Certificate Authority. If you are anal-retentive as me you will fill out the contact information, but you can leave it as is – (this is what is displayed when you view the certification). To save some aches when you are restarting the service or server do not encrypt the private key.
That is it… you have now created you self signed certification