Skip to content
This repository has been archived by the owner on Apr 17, 2023. It is now read-only.

Generate certificate for NginX on RHEL 6.6

Jump to bottom
Attila Levente EGYEDI edited this page Apr 18, 2016 · 27 revisions

###Verify openssl You will need openssl installed to the system to complete the below tasks. If it is not present, install it using yum as follows:

yum install openssl

###Generate private key for CA gocedar cd CEDAR_CA openssl genrsa -des3 -out ca.key 4096

The tool will prompt for a password. Generate a secure password and save the password in the CEDAR password stash for the host under the name CA.

The file ca.key will be generated.

###Copy openssl configuration file We will use the openssl configuration file as a blueprint for our configuration file. We first copy it to the CEDAR certificate directory:

cp /etc/pki/tls/openssl.cnf $CEDAR_HOME/CEDAR_CA/

###Modify the openssl.cnf We will set up some values in the file:

vi openssl.cnf

Interleave the following content with the existing one:

HOME                    = .
RANDFILE                = $ENV::HOME/.rnd
CEDAR_HOME              = $ENV::CEDAR_HOME

[ CA_default ]
dir             = $CEDAR_HOME/CEDAR_CA
default_days    = 3650
default_md      = sha256

[ req_distinguished_name ]
countryName_default             = US
stateOrProvinceName_default     = California
localityName                    = Locality Name
localityName_default            = Stanford
0.organizationName_default      = BMIR
organizationalUnitName_default  = CEDAR

###Create self-signed root certificate

openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -config ./openssl.cnf

Accept the preset values by pressing Enter. Fill out the following values:

Common Name (e.g. server FQDN or YOUR name) []:<HOSTNAME>
Email Address []:<EMAIL>

Replace <HOSTNAME> with the host name, for instance metadatacenter.net

Replace EMAIL with your email address, for instance metadatacenter@gmail.com

A file called ca.crt then will be generated.

You can verify it as follows:

openssl x509 -in ca.crt -text

###Generate key for the webserver

openssl genrsa -out cedar.<HOSTNAME>.key 1024

A file named cedar.<HOSTNAME>.key will be generated.

###Generate the Certificate Signing request

openssl req -new -key cedar.<HOSTNAME>.key -out cedar.<HOSTNAME>.csr -config ./openssl.cnf

Accept the preset values by pressing Enter. Fill out the following values:

Common Name (e.g. server FQDN or YOUR name) []:*.<HOSTNAME>
Email Address []:metadatacenter@gmail.com
Challenge password []: -- leave empty
An optional company name []: -- leave empty

Replace <HOSTNAME> with the hostname.

A file named cedar.<HOSTNAME>.csr will be generated.

###Set up prerequisites for signing

echo 01 >serial
touch index.txt
touch index.txt.attr

###Sign the request

openssl ca -cert ca.crt -keyfile ca.key -in cedar.<HOSTNAME>.csr -out cedar.<HOSTNAME>.crt -outdir ./ -config ./openssl.cnf -verbose

Provide the CA password when prompted. Sign and commit by entering y.

A file named cedar.<HOSTNAME>.crt will be generated.

The following files will also be modified: index.txt, index.txt.attr, serial.txt.

###Make the certificate and key available to Nginx

sudo mkdir $NGINX_HOME/ssl
sudo chown cedar $NGINX_HOME/ssl
cp cedar.<HOSTNAME>.crt $NGINX_HOME/ssl
cp cedar.<HOSTNAME>.key $NGINX_HOME/ssl
Clone this wiki locally