Use apt-get or yum to install OpenSSL.
~]# yum install openssl
A public certificate and it's corresponding private key can be used to encrypt packets being transmitted between hosts. One of the most popular uses of a public certificate and it's corresponding private key is to encrypt the resources being transmitted to clients from a web server, so that HTTPS can be used. The first step is to create the private key. In this example, the private key is placed on the web server. As the name implies, a private key is private, and should never be made public.
Move to the /etc/pki/tls/private directory and create the private key. In this example, the private key will be named example.com.key and have a 2048-bit RSA algorithm.
~]# cd /etc/pki/tls/private ~]# openssl genrsa -out example.com.key 2048
Ensure only you can read the private key file.
~]# chmod 400 example.com.key
A private key doesn't contain user specific data, such as an "alias" or "expiration date", so you wouldn't ever decode out data from a private key.
Certificate Signing Request (CSR)
The certificate signing request (CSR) file is used to add personal information to the public certificate, such as your company name and location. The CSR also contains a reference to the private key.
Move the the /etc/pki/tls/csr directory, and then create the CSR file. By default, SHA-1 will be used. You can add -sha2, -sha256, or -sha512 after req. There will be a series of prompts, asking for personal information, such as your organization name and location.
Important - If your private key is www.example.com.key, you would enter www.example.com as the common name, and not just example.com.
~]# cd /etc/pki/tls/csr ~]# openssl req -new -key /etc/pki/tls/private/example.com.key -out example.com.csr
The CSR can be viewed.
~]# openssl req -text -noout -verify -in example.com.csr Subject: C=US, ST=WI, L=Appleton, O=Example, OU=Example, CN=John Doe Public Key Algorithm: rsaEncryption Public-Key: (2048 bits) Signature Algorithm: sha256WithRSAEncryption
Public certificate (aka X.509)
The public certificate is what is provided to the clients. There is a mathmatical relationship between the public certificate and private key. Both are needed in order for encryption to work.
Change to the certs directory and create the public certificate. The public certificate is signed using the CSR file. This is what it means to sign the certificate.
~]# cd /etc/pki/tls/certs ~]# openssl x509 -req -days 365 -signkey /etc/pki/tls/private/domain.key -in /etc/pki/tls/csr/example.com.csr -out /etc/pki/tls/certs/example.com.crt -sha256
The certificate can also be viewed. This will work with both .crt and .pem files.
~]# openssl x509 -in example.com.crt -text -noout Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=WI, L=Appleton, O=Example, OU=Example, CN=www.example.com/emailAddressemail@example.com Not Before: Jul 15 03:06:31 2017 GMT Not After: July 15 03:06:31 2018 GMT Public Key Algorithm: rsaEncryption Public-Key: (2048 bit)
If your organization uses the PEM format instead of the CRT format, you can create the .pem certificate from the .crt certificate file.
~]# openssl x509 -in example.com.crt -out example.com.pem -outform PEM
Using the public / private key pair
You can now use the public certificate and it's corresponding private key. In this example, the private key and public certificate are placed on the web server. The CSR file is not used by the web server.
Internet facing production applications should use a certificate from a trusted CA, such as verisign.com. For non-production applications, a self-signed certificate can be used. Applications, such as a web browser, will complain when a self-signed certificate is used.
When the client navigates to an HTTPS page, the client will request the public certificate from the web server, and then the public certificate will reside on the clients browser for a period of time. The public certificate on the client and the private key on the server are what is used to encrypt the packets that are exchanged between the client and server over the internet.
The certificate can be viewed by the client.