Appendix C. Certificates

C.1. Creating SSL/TLS Certificates

Summary
SSL/TLS certificates provide a layer of security for accessing your installation over HTTPS. This procedure provides instructions for creating certificates and configuring your host with them.
The following procedure requires the openssl. To install this tool, run the following command on your host: 
# yum install openssl

Procedure C.1. Creating a Certificate Authority

A Certificate Authority (CA) signs certificates to provide verification of validity. Web browsers contain a number of CA certificates used to verify HTTPS communication of secure websites. Some of these CAs require a fee to provide a CA pair for your host, while some are open and provide free CA pairs. This procedure describes how to generate your own Certificate Authority (CA) certificate and key for your own internal network usage.
  1. Run the following command: 
    # openssl req -new -x509 -keyout ca.key -out ca.crt -days 3650
    This command requests a new CA pair valid for 3650 days.
  2. Enter a password to protect your CA: 
    Generating a 2048 bit RSA private key
......................................................................................................................................+++
..................................................................................................+++
writing new private key to 'ca.key'
Enter PEM pass phrase: 
Verifying - Enter PEM pass phrase:
  3. Enter the following details about your organization: 
    Country Name (2 letter code) [XX]:AU
State or Province Name (full name) []:Queensland
Locality Name (eg, city) [Default City]:Brisbane
Organization Name (eg, company) [Default Company Ltd]:Red Hat
Organizational Unit Name (eg, section) []:Engineering Content Services
Common Name (eg, your name or your server's hostname) []:www.example.com
Email Address []:dmacpher@redhat.com
    This information forms the Distinguished Name (DN) in your certificate.
Conclusion
You have created a Certificate Authority. openssl creates two files: ca.key, which is a key administrators use to sign certificates, and ca.crt, which is the public CA certificate that users obtain to verify the validity of signed certificates they receive. Make sure users accessing your host have a copy of the ca.crt so they can import it into their client's trusted CA store.
Report a bug