C.2. Creating an SSL Certificate

Summary
The following procedure creates an SSL certificate and signs it with the CA key. SSL/TLS certificates provide a layer of security for accessing your installation over HTTPS. This procedure provides instructions for creating certificates and configuring your host with them.
The following procedure requires the openssl. To install this tool, run the following command on your host:
# yum install openssl

Procedure C.2. Creating an SSL Certificate

  1. Create a key for your host:
    # openssl genrsa -out ssl.key
    
    This creates an ssl.key key file.
  2. Use the key to create a signing request for your certificate:
    # openssl req -new -key ssl.key -out ssl.csr
    
    The signing request asks for some organization details to form the Distinguished Name (DN) in your certificate.
    Country Name (2 letter code) [XX]:AU
    State or Province Name (full name) []:Queensland
    Locality Name (eg, city) [Default City]:Brisbane
    Organization Name (eg, company) [Default Company Ltd]:Red Hat
    Organizational Unit Name (eg, section) []:Engineering Content Services
    Common Name (eg, your name or your server's hostname) []:www.example.com
    Email Address []:dmacpher@redhat.com
    
    This creates an ssl.csr signing request file.
  3. Create the signed SSL certificate:
    # openssl ca -cert ca.crt -keyfile ca.key -out ssl.crt -infiles ssl.csr
    
    openssl asks for your CA key's password.
    This creates a certificate file named ssl.crt.

    Important

    The above command may result in the following error:
    Using configuration from /etc/pki/tls/openssl.cnf
    Enter pass phrase for ca.key:
    /etc/pki/CA/index.txt: No such file or directory
    unable to open '/etc/pki/CA/index.txt'
    139883256969032:error:02001002:system library:fopen:No such file or directory:bss_file.c:355:fopen('/etc/pki/CA/index.txt','r')
    139883256969032:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:357:
    

    Procedure C.3. Resolving this error

    1. Create the index.txt file.
      # touch /etc/pki/CA/index.txt
      
    2. Create a serial file to label the CA and all subsequent certificates.
      # echo '1000' > /etc/pki/CA/serial
      
    You will only need to do this the first time you set up the SSL certificate. Re-run the command:
    # openssl ca -cert ca.crt -keyfile ca.key -out ssl.crt -infiles ssl.csr
    
The ssl.crt and ssl.key form the certificate pair that your host uses to encrypt data via HTTPS.
Conclusion
You have created an SSL certificate and signed it with the CA key. openssl creates two files: ca.key, which is a key administrators use to sign certificates, and ca.crt, which is the public CA certificate that users obtain to verify the validity of signed certificates they receive. Make sure users accessing your host have a copy of the ca.crt so they can import it into their client's trusted CA store.