Create Self Signed Certificate on CentOS/RHEL 8

This will be a short tutorial just to show you how to create self-signed certificates on CentOS 8. It will not cover any additional details like installing mod_ssl (if you are using Apache, or some other web server) openssl or anything else. 

There are a few options when it comes to certificates – you can buy them, generate them via free services like Let’s Encrypt or self-sign them if you are testing something.

For most of my labs I’m using self signed certificates, so here is how to generate one on CentOS 8.

Certificate consists of two components – private key (.key) and public key (.crt)

Here is the command

openssl req -newkey rsa:4096 -nodes -keyout /etc/pki/tls/private/bitwardentest.key -x509 -days 3650 -out /etc/pki/tls/certs/bitwaredentest.crt

Let me explain it a bit.

req – is used to create CSR (certificate signing request).

-newkey rsa:4096 – is used to create a new cert request with strength of 4096 RSA key.

-nodes -if private key is created it will not be encrypted.

-keyout /etc/pki/tls/private/bitwardentest.key – location where private key will be saved.

-x509 – output will be self signed cert, not a cert request.

-days 3650 – validity of my cert will be 10 years,365 would be a better option to enter. With 365 cert will be valid one year. Much better security practice.

-out /etc/pki/tls/certs/bitwaredentest.crt – specifies path for public part of self signed cert.

—————

There is also optional part for this command, which I will also add into the end of the command above.

-subj "/C=CN/ST=STATE/L=CITY/O=ORG NAME/OU=Department/CN=DOMAIN_NAME/emailAddress=name@domain"

Again, short explanation, although command by itself is self explanatory.

C= country

ST= state

L = city

O= organization name

OU = department

CN = domain name (you will enter name for your domain for which you need certificate)

email address = valid email address

Here is what my command looks in the end and how it executes

That would be it, you now have your self-signed certificate.

Disclaimer